How to configure Filebeat multiline parsing

Multiline parsing keeps stack traces and wrapped log messages intact so a single application error does not become dozens of separate events that break searching, dashboards, and alert correlation.

Filebeat reads log files line by line and normally publishes one event per line. A multiline parser changes that behavior by buffering lines until an event boundary is detected, then emitting one combined event through processors and outputs.

Multiline buffering trades a small delay and memory for cleaner events, so boundary patterns must be narrow and bounded using timeout and max_lines. Invalid YAML indentation or duplicated keys in /etc/filebeat/filebeat.yml prevents Filebeat from starting and stops log shipping until the configuration is corrected.

Steps to configure Filebeat multiline parsing:

Create a backup copy of the current Filebeat configuration.

$ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak

Open the Filebeat configuration file at /etc/filebeat/filebeat.yml.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Add a filestream input with a multiline parser that appends non-header lines to the previous event.
```
filebeat.inputs:
  - type: filestream
    id: app-logs
    enabled: true
    paths:
      - /var/log/app.log
    parsers:
      - multiline:
          type: pattern
          pattern: '^\['
          negate: true
          match: after
          max_lines: 500
          timeout: 5s
```
Only one filebeat.inputs: key should exist in /etc/filebeat/filebeat.yml, so add the input under the existing list when filebeat.inputs is already present.

pattern should match the first line of a new event; with negate: true and match: after, every non-matching line is appended to the previous event until a new header line appears or timeout flushes the buffer.
Test the Filebeat configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to apply the multiline parser.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Check the Filebeat service status for an active state with recent log lines.

$ sudo systemctl status filebeat --no-pager --lines=20
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 22:17:05 UTC; 4s ago
       Docs: https://www.elastic.co/beats/filebeat
##### snipped #####

Confirm a known stack trace is ingested as a single event containing embedded newlines.

When stack trace lines still arrive as separate events, pattern is usually too broad or matches lines inside the trace; when unrelated events are merged, pattern is usually too narrow.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.