I had logstash running sending multi line java logs to Elasticsearch fine using the following regexp:
I am trying to do the same using the in_tail multiline format but I cannot get the syntax right. Could someone point me in the right direction here? Here is an example snippet of the log:
2015-02-17 16:32:19,829 INFO [LmtpServer-3866] [name=
hid...@email.com;mid=835;ip=20.4.5.143;] lmtp - S: 452 4.2.2 Over quota (DATA)
2015-02-17 16:32:19,856 INFO [ImapServer-9] [name=
hid...@email.com;mid=3262;ip=20.4.5.104;oip=212.33.134.66;via=10.1.5.193(nginx/1.2.0-zimbra);ua=iPhone Mail/12B466;] imap - UID SEARCH elapsed=9
2015-02-17 16:32:19,856 INFO [LmtpServer-3870] [ip=20.4.5.143;] lmtp - Delivering message: size=47744 bytes, nrcpts=1, sender=
bounce-1465...@email.com, msgid=<LYRIS-1538802-1465487-2015.02.15-00.10.07--hidden#
email...@email.com>
2015-02-17 16:32:19,857 ERROR [LmtpServer-3870] [name=
hid...@email.com;mid=3279;ip=20.4.5.143;] jsieve - Evaluation failed. Reason: null
2015-02-17 16:32:19,857 WARN [LmtpServer-3870] [name=
hid...@email.com;mid=3279;ip=20.4.5.143;] filter - An error occurred while processing filter rules. Filing message to /Inbox.
com.zimbra.cs.filter.ZimbraSieveException
at com.zimbra.cs.filter.ZimbraMailAdapter.executeActions(ZimbraMailAdapter.java:281)
at org.apache.jsieve.SieveFactory.evaluate(SieveFactory.java:173)
at com.zimbra.cs.filter.RuleManager.applyRulesToIncomingMessage(RuleManager.java:340)
at com.zimbra.cs.filter.RuleManager.applyRulesToIncomingMessage(RuleManager.java:302)
at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliverMessageToLocalMailboxes(ZimbraLmtpBackend.java:614)
at com.zimbra.cs.lmtpserver.ZimbraLmtpBackend.deliver(ZimbraLmtpBackend.java:384)
at com.zimbra.cs.lmtpserver.LmtpHandler.processMessageData(LmtpHandler.java:378)
at com.zimbra.cs.lmtpserver.TcpLmtpHandler.continueDATA(TcpLmtpHandler.java:75)
at com.zimbra.cs.lmtpserver.LmtpHandler.doDATA(LmtpHandler.java:367)
at com.zimbra.cs.lmtpserver.LmtpHandler.processCommand(LmtpHandler.java:183)
at com.zimbra.cs.lmtpserver.TcpLmtpHandler.processCommand(TcpLmtpHandler.java:68)
at com.zimbra.cs.server.ProtocolHandler.processConnection(ProtocolHandler.java:190)
at com.zimbra.cs.server.ProtocolHandler.run(ProtocolHandler.java:129)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.zimbra.cs.mailbox.MailServiceException: mailbox exceeded quota of 1073741824 bytes
ExceptionId:LmtpServer-3870:1424183539857:71a8aeb42e47fb67
Code:mail.QUOTA_EXCEEDED Arg:(limit, NUM, "1073741824")
at com.zimbra.cs.mailbox.MailServiceException.QUOTA_EXCEEDED(MailServiceException.java:355)
at com.zimbra.cs.mailbox.Mailbox.checkSizeChange(Mailbox.java:1376)
at com.zimbra.cs.mailbox.Mailbox.addMessageInternal(Mailbox.java:5909)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5783)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5717)
at com.zimbra.cs.mailbox.Mailbox.addMessage(Mailbox.java:5712)
at com.zimbra.cs.filter.IncomingMessageHandler.addMessage(IncomingMessageHandler.java:133)
at com.zimbra.cs.filter.IncomingMessageHandler.implicitKeep(IncomingMessageHandler.java:125)
at com.zimbra.cs.filter.ZimbraMailAdapter.doDefaultFiling(ZimbraMailAdapter.java:346)
at com.zimbra.cs.filter.ZimbraMailAdapter.executeActions(ZimbraMailAdapter.java:221)
... 15 more