logstash: logstash.conf annotate

annotate logstash.conf @ 8:97712c48f7fe

grep negate does not behave as expected

author	Carl Byington <carl@five-ten-sg.com>
date	Fri, 22 Mar 2013 11:40:47 -0700
parents	6b7beb807d14
children	567e51f1f5e7

rev	line source
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	1 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	2 # the rpm install already set the following acl entries
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	3 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	7 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	9
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	10 input {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	11 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	12 type => "sendmail"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	13 path => "/var/log/maillog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	14 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	15 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	16 type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	17 path => "/var/log/messages"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	18 }
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	19 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	20 type => "apache-access"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	21 path => "/var/log/httpd/access_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	22 }
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	23 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	24 type => "apache-error"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	25 path => "/var/log/httpd/error_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	26 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	27 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	28
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	29 filter {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	30 grok {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	31 type => "sendmail"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	33 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	34 }
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	35 grep {
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	36 type => "sendmail"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	37 match => [ "program", "sendmail\|dnsbl" ]
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	38 drop => true
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	39 }
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	40 grep {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	41 type => "sendmail"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	42 match => [ "program", "sendmail", "message", "^(M\|m)ilter" ]
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	43 drop => false
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	44 add_tag => "dropper"
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	45 }
796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	46 grep {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	47 type => "sendmail"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	48 exclude_tags => "dropper"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	49 drop => true
3 796ac0b50dbf add cron.daily index cleaning Carl Byington <carl@five-ten-sg.com> parents: 1 diff changeset	50 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	51
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	52 grok {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	53 type => "linux-syslog"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	54 pattern => "%{SYSLOGBASE}"
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	55 }
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	56 date {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	57 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	58 type => "linux-syslog"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	59 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	60 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	61 grok {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	62 type => "apache-access"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	63 pattern => "%{COMBINEDAPACHELOG}"
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	64 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	65 date {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	66 # Try to pull the timestamp from the 'timestamp' field (parsed above with
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	67 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	68 type => "apache-access"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	69 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
1 59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns Carl Byington <carl@five-ten-sg.com> parents: 0 diff changeset	70 }
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	71 grok {
8 97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	72 type => "apache-error"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	73 patterns_dir => "/var/lib/logstash/data/patterns"
97712c48f7fe grep negate does not behave as expected Carl Byington <carl@five-ten-sg.com> parents: 5 diff changeset	74 pattern => "%{APACHE_ERROR_LOG}"
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	75 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	76 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	77
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	78 output {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	79 elasticsearch {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	80 embedded => true
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	81 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	82 }

Mercurial > logstash

annotate logstash.conf @ 8:97712c48f7fe