annotate logstash.conf @ 33:0faebb0b0fa4

update to kibana 3, logstash 1.2.1, es 0.90.5
author Carl Byington <carl@five-ten-sg.com>
date Mon, 23 Sep 2013 11:50:21 -0700
parents 1d50b19beda0
children 8ed811f9a0bd
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 # the rpm install already set the following acl entries
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10 input {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 type => "sendmail"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 path => "/var/log/maillog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16 type => "linux-syslog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17 path => "/var/log/messages"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
19 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
20 type => "apache-access"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
21 path => "/var/log/httpd/*access*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
22 }
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
23 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
24 type => "apache-error"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
25 path => "/var/log/httpd/*error*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
26 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 filter {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
31 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
33 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
34 }
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
35 grep {
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
36 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
37 match => [ "program", "sendmail|dnsbl" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
38 drop => true
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 }
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
40 grep {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
41 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
43 drop => false
12
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
44 add_tag => [ "dropper" ]
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
45 }
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
46 grep {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
47 type => "sendmail"
12
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
48 match => [ "program", "dnsbl", "message", "." ]
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
49 drop => false
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
50 add_tag => [ "dropper" ]
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
51 }
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
52 grep {
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
53 type => "sendmail"
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
54 tags => [ "dropper" ]
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
55 match => [ "message", "." ]
567e51f1f5e7 better grep filter config
Carl Byington <carl@five-ten-sg.com>
parents: 8
diff changeset
56 negate => true
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
57 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
58
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
59 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
60 type => "linux-syslog"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
61 pattern => "%{SYSLOGBASE}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
62 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
63 date {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
64 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
65 type => "linux-syslog"
21
1d50b19beda0 work on building from source
Carl Byington <carl@five-ten-sg.com>
parents: 12
diff changeset
66 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
67 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
68 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
69 type => "apache-access"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
70 pattern => "%{COMBINEDAPACHELOG}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
71 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
72 date {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
73 # Try to pull the timestamp from the 'timestamp' field (parsed above with
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
74 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
75 type => "apache-access"
21
1d50b19beda0 work on building from source
Carl Byington <carl@five-ten-sg.com>
parents: 12
diff changeset
76 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
77 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
78 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
79 type => "apache-error"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
80 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
81 pattern => "%{APACHE_ERROR_LOG}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
83 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
84
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
85 output {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
86 elasticsearch {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
87 embedded => true
21
1d50b19beda0 work on building from source
Carl Byington <carl@five-ten-sg.com>
parents: 12
diff changeset
88 host => "127.0.0.1"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
89 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
90 }