Mercurial > logstash
annotate logstash.conf @ 33:0faebb0b0fa4
update to kibana 3, logstash 1.2.1, es 0.90.5
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Mon, 23 Sep 2013 11:50:21 -0700 |
parents | 1d50b19beda0 |
children | 8ed811f9a0bd |
rev | line source |
---|---|
0 | 1 # |
2 # the rpm install already set the following acl entries | |
3 # | |
4 # setfacl -m u:logstash:rx /var/log/httpd | |
5 # setfacl -m u:logstash:r /var/log/messages | |
6 # setfacl -m u:logstash:r /var/log/maillog | |
7 # | |
8 # you need to allow user logstash to read any input files specified here | |
9 | |
10 input { | |
11 file { | |
12 type => "sendmail" | |
13 path => "/var/log/maillog" | |
14 } | |
15 file { | |
16 type => "linux-syslog" | |
17 path => "/var/log/messages" | |
18 } | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
19 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
20 type => "apache-access" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
21 path => "/var/log/httpd/*access*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
22 } |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
23 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
24 type => "apache-error" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
25 path => "/var/log/httpd/*error*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
26 } |
0 | 27 } |
28 | |
29 filter { | |
30 grok { | |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
31 type => "sendmail" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
33 patterns_dir => "/var/lib/logstash/data/patterns" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
34 } |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
35 grep { |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
36 type => "sendmail" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
37 match => [ "program", "sendmail|dnsbl" ] |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
38 drop => true |
0 | 39 } |
3
796ac0b50dbf
add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents:
1
diff
changeset
|
40 grep { |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
41 type => "sendmail" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
43 drop => false |
12
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
44 add_tag => [ "dropper" ] |
3
796ac0b50dbf
add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents:
1
diff
changeset
|
45 } |
796ac0b50dbf
add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents:
1
diff
changeset
|
46 grep { |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
47 type => "sendmail" |
12
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
48 match => [ "program", "dnsbl", "message", "." ] |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
49 drop => false |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
50 add_tag => [ "dropper" ] |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
51 } |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
52 grep { |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
53 type => "sendmail" |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
54 tags => [ "dropper" ] |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
55 match => [ "message", "." ] |
567e51f1f5e7
better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents:
8
diff
changeset
|
56 negate => true |
3
796ac0b50dbf
add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents:
1
diff
changeset
|
57 } |
0 | 58 |
59 grok { | |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
60 type => "linux-syslog" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
61 pattern => "%{SYSLOGBASE}" |
0 | 62 } |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
63 date { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
64 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
65 type => "linux-syslog" |
21
1d50b19beda0
work on building from source
Carl Byington <carl@five-ten-sg.com>
parents:
12
diff
changeset
|
66 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
67 } |
0 | 68 grok { |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
69 type => "apache-access" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
70 pattern => "%{COMBINEDAPACHELOG}" |
0 | 71 } |
72 date { | |
73 # Try to pull the timestamp from the 'timestamp' field (parsed above with | |
74 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
75 type => "apache-access" |
21
1d50b19beda0
work on building from source
Carl Byington <carl@five-ten-sg.com>
parents:
12
diff
changeset
|
76 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
77 } |
0 | 78 grok { |
8
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
79 type => "apache-error" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
80 patterns_dir => "/var/lib/logstash/data/patterns" |
97712c48f7fe
grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents:
5
diff
changeset
|
81 pattern => "%{APACHE_ERROR_LOG}" |
0 | 82 } |
83 } | |
84 | |
85 output { | |
86 elasticsearch { | |
87 embedded => true | |
21
1d50b19beda0
work on building from source
Carl Byington <carl@five-ten-sg.com>
parents:
12
diff
changeset
|
88 host => "127.0.0.1" |
0 | 89 } |
90 } |