Logstash tcp输入多行配置为freeradius

Question

以下是示例数据：

<30>Apr 28 18:39:17 host radiusd[27332]: Waking up in 0.4 seconds.
<30>Apr 28 18:39:17 host radiusd[27332]: (199515) Received Access-Request Id 182 from 10.2.8.26:41116 to 10.2.255.2:1812 length 372
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   User-Name = "xxxxx"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   NAS-Identifier = "f29fc2ab48a7"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Called-Station-Id = "AA-AA-AA-AA-AA-AA:ct"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   NAS-Port-Type = Wireless-802.11
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Service-Type = Framed-User
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Calling-Station-Id = "CC-66-0A-1A-C4-CA"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Connect-Info = "CONNECT 0Mbps 802.11b"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Acct-Session-Id = "FD0A87E39DCF380C"
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   WLAN-Pairwise-Cipher = 1027076
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   WLAN-Group-Cipher = 1027076
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   WLAN-AKM-Suite = 1027073
<30>Apr 28 18:39:17 host radiusd[27332]: (199515)   Framed-MTU = 1400
<30>Apr 28 18:39:17 host radiusd[27332]: Waking up in 0.6 seconds.
<30>Apr 28 18:39:17 host radiusd[27332]: (199516) Received Access-Request Id 182 from 10.2.8.26:41116 to 10.2.255.2:1812 length 372
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   User-Name = "xxxxx"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   NAS-Identifier = "f29fc2ab48a7"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Called-Station-Id = "AA-AA-AA-AA-AA-AA:ct"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   NAS-Port-Type = Wireless-802.11
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Service-Type = Framed-User
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Calling-Station-Id = "CC-66-AA-AA-A4-CA"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Connect-Info = "CONNECT 0Mbps 802.11b"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Acct-Session-Id = "FD0A87E39DCF380C"
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   WLAN-Pairwise-Cipher = 1027076
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   WLAN-Group-Cipher = 1027076
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   WLAN-AKM-Suite = 1027073
<30>Apr 28 18:39:17 host radiusd[27332]: (199516)   Framed-MTU = 1400

这是我的logstash.conf文件：

input {
  tcp {
    port => 5055
    codec => multiline {
#     pattern => "^<20>%{MONTH} %{MONTHDAY} %{TIME} hostname radiusd[27332]: Waking up in"
      pattern => "^\{$"
      negate => true
      what => previous
    }
  }
}

filter {
  json { source => message }
}


output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    user => "xxxx"
    password => "xxxx"
    index => freeradiusd05
  }
}

最近，我正在使用Rsyslog（将半径日志发送到tcp）和logstash（通过tcp接收半径日志）来捕获半径日志，但是我遇到了这个问题。我找不到将日志切成一个查询id事件的正确模式配置。 如何更改多行模式以将数据正确地分为两个事件，从“在xx秒内唤醒”开始。线？