annotate logstash.conf @ 8:97712c48f7fe

grep negate does not behave as expected
author Carl Byington <carl@five-ten-sg.com>
date Fri, 22 Mar 2013 11:40:47 -0700
parents 6b7beb807d14
children 567e51f1f5e7
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 # the rpm install already set the following acl entries
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10 input {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 type => "sendmail"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 path => "/var/log/maillog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16 type => "linux-syslog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17 path => "/var/log/messages"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
19 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
20 type => "apache-access"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
21 path => "/var/log/httpd/*access*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
22 }
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
23 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
24 type => "apache-error"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
25 path => "/var/log/httpd/*error*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
26 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 filter {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
31 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
33 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
34 }
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
35 grep {
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
36 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
37 match => [ "program", "sendmail|dnsbl" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
38 drop => true
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 }
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
40 grep {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
41 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ]
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
43 drop => false
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
44 add_tag => "dropper"
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
45 }
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
46 grep {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
47 type => "sendmail"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
48 exclude_tags => "dropper"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
49 drop => true
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
50 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
51
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
52 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
53 type => "linux-syslog"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
54 pattern => "%{SYSLOGBASE}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
55 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
56 date {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
57 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
58 type => "linux-syslog"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
59 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
60 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
61 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
62 type => "apache-access"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
63 pattern => "%{COMBINEDAPACHELOG}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
64 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
65 date {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
66 # Try to pull the timestamp from the 'timestamp' field (parsed above with
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
67 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
68 type => "apache-access"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
69 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
70 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
71 grok {
8
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
72 type => "apache-error"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
73 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected
Carl Byington <carl@five-ten-sg.com>
parents: 5
diff changeset
74 pattern => "%{APACHE_ERROR_LOG}"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
75 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
76 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
77
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
78 output {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
79 elasticsearch {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
80 embedded => true
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
81 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 }