From d2e3cc232f7f7dab65a108bec43c0fc580965676 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 3 May 2017 08:34:04 -0700
Subject: [PATCH] Handle journald timestamps in multiline logstash

Journald uses syslog not iso8601 timestamps. Handle both in the
mutliline rules for oslofmt so that we properly append multiline events
together. As is we treat the entire document as one large multiline
event.

Change-Id: I8eb865c9f31f26eada3318d06373bc71aacda047
---
 modules/openstack_project/templates/logstash/indexer.conf.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/openstack_project/templates/logstash/indexer.conf.erb b/modules/openstack_project/templates/logstash/indexer.conf.erb
index bee4a8457b..6065d44190 100644
--- a/modules/openstack_project/templates/logstash/indexer.conf.erb
+++ b/modules/openstack_project/templates/logstash/indexer.conf.erb
@@ -31,7 +31,7 @@ filter {
   } else if "oslofmt" in [tags] {
     multiline {
       negate => true
-      pattern => "^%{TIMESTAMP_ISO8601} "
+      pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) "
       what => "previous"
       stream_identity => "%{host}.%{filename}"
     }
@@ -44,7 +44,7 @@ filter {
       # NUMBER being required element here is important, otherwise
       # ERROR messages just fold into the previous messages, which are
       # typically INFO.
-      pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)"
+      pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)"
       what => "previous"
       stream_identity => "%{host}.%{filename}"
     }