Mercurial > logstash
annotate logstash.conf @ 1:59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Fri, 01 Mar 2013 18:40:11 -0800 |
parents | df4952a2fb06 |
children | 796ac0b50dbf |
rev | line source |
---|---|
0 | 1 # |
2 # the rpm install already set the following acl entries | |
3 # | |
4 # setfacl -m u:logstash:rx /var/log/httpd | |
5 # setfacl -m u:logstash:r /var/log/messages | |
6 # setfacl -m u:logstash:r /var/log/maillog | |
7 # | |
8 # you need to allow user logstash to read any input files specified here | |
9 | |
10 input { | |
11 file { | |
12 type => "sendmail" | |
13 path => "/var/log/maillog" | |
14 } | |
15 file { | |
16 type => "linux-syslog" | |
17 path => "/var/log/messages" | |
18 } | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
19 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
20 type => "apache-access" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
21 path => "/var/log/httpd/*access*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
22 } |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
23 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
24 type => "apache-error" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
25 path => "/var/log/httpd/*error*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
26 } |
0 | 27 } |
28 | |
29 filter { | |
30 grok { | |
31 type => "sendmail" | |
32 pattern => "%{SENDMAIL}" | |
33 patterns_dir => "/var/lib/logstash/data/patterns" | |
34 } | |
35 | |
36 grok { | |
37 type => "linux-syslog" | |
38 pattern => "%{SYSLOGBASE}" | |
39 } | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
40 date { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
41 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
42 type => "linux-syslog" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
43 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
44 } |
0 | 45 grok { |
46 type => "apache-access" | |
47 pattern => "%{COMBINEDAPACHELOG}" | |
48 } | |
49 date { | |
50 type => "apache-access" | |
51 # Try to pull the timestamp from the 'timestamp' field (parsed above with | |
52 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | |
53 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
54 } |
0 | 55 grok { |
56 type => "apache-error" | |
57 patterns_dir => "/var/lib/logstash/data/patterns" | |
58 pattern => "%{APACHE_ERROR_LOG}" | |
59 } | |
60 } | |
61 | |
62 output { | |
63 elasticsearch { | |
64 embedded => true | |
65 } | |
66 } |