Skip to main content

Sending Jboss Server Logs to Logstash Using Filebeat with Multiline Support

In addition to sending system logs to logstash, it is possible to add a prospector section to the filebeat.yml for jboss server logs. Sometimes jboss server.log has single events made up from several lines of messages. In such cases Filebeat should be configured for a multiline prospector.

Filebeat takes lines do not start with a date pattern (look at pattern in the multiline section "^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}" and negate section is set to true) and combines them with the previous line that starts with a date pattern.

server.log file excerpt where DatePattern: yyyy-MM-dd-HH and ConversionPattern: %d %-5p [%c] %m%n
Logstash filter:


Comments

  1. Hello,
    I use your tutorial, i need to use some index pattern differente from filebeat-* ?

    Thanks

    ReplyDelete
  2. Hi, what do you mean by index pattern? is it elasticsearch index? If so, you can configure logstash's elasticsearch output section to change index pattern.

    ReplyDelete

Post a Comment

Popular posts from this blog