logstash: logstash.conf annotate

annotate logstash.conf @ 5:6b7beb807d14

add dnsbl patterns

author	Carl Byington <carl@five-ten-sg.com>
date	Fri, 22 Mar 2013 10:31:48 -0700
parents	796ac0b50dbf
children	97712c48f7fe

rev	line source
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	1 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	2 # the rpm install already set the following acl entries
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	3 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	7 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	9
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	10 input {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	11 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	12 type => "sendmail"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	13 path => "/var/log/maillog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	14 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	15 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	16 type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	17 path => "/var/log/messages"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	18 }
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	19 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	20 type => "apache-access"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	21 path => "/var/log/httpd/access_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	22 }
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	23 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	24 type => "apache-error"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	25 path => "/var/log/httpd/error_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	26 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	27 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	28
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	29 filter {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	30 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	31 type => "sendmail"
5 6b7beb807d14 add dnsbl patterns Carl Byington <carl@five-ten-sg.com> parents: 3 diff changeset	32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	33 patterns_dir => "/var/lib/logstash/data/patterns"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	34 }
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	35 grep {
796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	36 type => "sendmail"
5 6b7beb807d14 add dnsbl patterns Carl Byington <carl@five-ten-sg.com> parents: 3 diff changeset	37 match => [ "program", "sendmail\|dnsbl" ]
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	38 }
796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	39 grep {
796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	40 type => "sendmail"
796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	41 negate => true
5 6b7beb807d14 add dnsbl patterns Carl Byington <carl@five-ten-sg.com> parents: 3 diff changeset	42 match => [ "program", "sendmail", "message", "^(M\|m)ilter" ]
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	43 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	44
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	45 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	46 type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	47 pattern => "%{SYSLOGBASE}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	48 }
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	49 date {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	50 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	51 type => "linux-syslog"
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	52 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	53 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	54 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	55 type => "apache-access"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	56 pattern => "%{COMBINEDAPACHELOG}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	57 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	58 date {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	59 type => "apache-access"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	60 # Try to pull the timestamp from the 'timestamp' field (parsed above with
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	61 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	62 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	63 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	64 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	65 type => "apache-error"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	66 patterns_dir => "/var/lib/logstash/data/patterns"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	67 pattern => "%{APACHE_ERROR_LOG}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	68 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	69 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	70
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	71 output {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	72 elasticsearch {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	73 embedded => true
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	74 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	75 }

Mercurial > logstash

annotate logstash.conf @ 5:6b7beb807d14