multiline is currently not supported in syslog input, there was a question about that in discuss.
We probably need to keep in mind for this input that lines can include the hostname and the username as preffix (for example if the log is sent using the logger command).
jsoriano
All 4 comments
@jsoriano Yes, we need to add support for that. @kvch is doing a lot of refactoring around our readers in Filebeat to make them reusable and allowing us to support this use case.
ph
on 23 Jul 2018
Hey, all. Just a thought, but maybe you could log a message that says you're ignoring all multiline options in the config for type: syslog? Would have saved me a day and a half of debugging before I found this...
daveman1010221
on 10 Jan 2019
I am sorry you had to debug this for a day. The list of currently supported config options can be found here: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html
Unfortunately, our configuration validation is not able to detect such problems yet. We are adding a configuration schema to avoid such issues soon.
kvch
on 10 Jan 2019
I am trying to work around this issue by using a dissect filter to remove leading fields like timestamp, host e.t.c.
I use the log input type as all logs are available via SMB.
Where i am stuck is at applying multiline after dissect has taken place.
Maybe create a distinct multiline processor? It could solve my issue by allowing me to control the order of execution.
This way there can be more fine grained control and many possibilities to solve this type of issues.
GeorgeGkinis
on 25 Mar 2019
Related issues
kemra102
路
3Comments
nicpenning
路
3Comments
pigletfly
路
3Comments
TomaszKlosinski
路
3Comments
musayev-io
路
3Comments
Most helpful comment
@jsoriano Yes, we need to add support for that. @kvch is doing a lot of refactoring around our readers in Filebeat to make them reusable and allowing us to support this use case.