gistfile1.txt

- type: log
  enabled: true
  paths:
    - /var/log/crowdstrike/falconhoseclient/output
    
  multiline.pattern: '^{'
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 5000
  multiline.timeout: 10

processors:  
      
  - decode_json_fields:
      fields: ['message']
      target: "crowdstrike"
      process_array: true
      max_depth: 8
      
  - drop_fields:
      fields: ['message'] 

output.elasticsearch:

  pipeline: rename_model

By default /var/log/crowdstrike/falconhoseclient/output does not have the .log extension.