Using Sidecars to have a multiline ouptut from GELF input

Hello,

I receive logs from docker containers using the native dual logging option with a GELF output that comes with the last versions of docker. I would like to join some of these messages which were multiline at the beginning but are then fragmented by the docker output (seems that there is no docker solution to handle that). Before I was using logspout which was giving me the option to have some multiline function using a regex.

I was wondering if I could do something similar with the sidecar function of Graylog, I tried a bit but didn’t find anything related to a multiline function (which apparently existed in the previous versions of Graylog, reading some old messages on the web.)

Thanks by advance

Hello && Welcome

I might be able to assist you. In this forum a couple community members had same issue.

One solution was using FileBeat /w GL Sidecar.

FileBeat-Multiline-Examples

Once you have the sidecar install the rest will be configured through the Web UI.

Here is another post of using multiline configuration with file beat. perhaps that might get you started.

Depending on what version your using you can use a Collector as shown below.

image608×869 28.5 KB

We do have TAG’s for Multi-line they may help in search as shown below.

image972×911 52.6 KB

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.