Mercurial > logstash
annotate logstash.conf @ 35:d5349a22907e default tip
fix license tags in spec files to be fedora compatible
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 25 Sep 2013 21:00:11 -0700 |
parents | 8ed811f9a0bd |
children |
rev | line source |
---|---|
0 | 1 # |
2 # the rpm install already set the following acl entries | |
3 # | |
4 # setfacl -m u:logstash:rx /var/log/httpd | |
5 # setfacl -m u:logstash:r /var/log/messages | |
6 # setfacl -m u:logstash:r /var/log/maillog | |
7 # | |
8 # you need to allow user logstash to read any input files specified here | |
9 | |
10 input { | |
11 file { | |
12 type => "sendmail" | |
13 path => "/var/log/maillog" | |
14 } | |
15 file { | |
16 type => "linux-syslog" | |
17 path => "/var/log/messages" | |
18 } | |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
19 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
20 type => "apache-access" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
21 path => "/var/log/httpd/*access*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
22 } |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
23 file { |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
24 type => "apache-error" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
25 path => "/var/log/httpd/*error*_log" |
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
26 } |
0 | 27 } |
28 | |
29 filter { | |
34
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
30 if [type] == "sendmail" { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
31 grok { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
32 patterns_dir => "/var/lib/logstash/data/patterns" |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
33 match => [ "message", "%{DNSBL}|%{SENDMAIL}" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
34 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
35 grep { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
36 match => [ "program", "sendmail" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
37 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
38 grep { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
39 match => [ "message", "(M|m)ilter" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
40 negate => true |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
41 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
42 date { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
43 # get the date from the actual syslog message |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
44 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
45 } |
3
796ac0b50dbf
add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents:
1
diff
changeset
|
46 } |
0 | 47 |
34
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
48 if [type] == "linux-syslog" { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
49 grok { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
50 match => [ "message", "%{SYSLOGBASE}" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
51 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
52 date { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
53 # get the date from the actual syslog message |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
54 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
55 } |
1
59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents:
0
diff
changeset
|
56 } |
34
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
57 |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
58 if [type] == "apache-access" { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
59 grok { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
60 match => [ "message", "%{COMBINEDAPACHELOG}" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
61 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
62 date { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
63 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
64 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
65 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
66 } |
0 | 67 } |
34
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
68 |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
69 if [type] == "apache-error" { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
70 grok { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
71 patterns_dir => "/var/lib/logstash/data/patterns" |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
72 match => [ "message", "%{APACHE_ERROR_LOG}" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
73 } |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
74 date { |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
75 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
76 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
77 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] |
8ed811f9a0bd
update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents:
21
diff
changeset
|
78 } |
0 | 79 } |
80 } | |
81 | |
82 output { | |
83 elasticsearch { | |
84 embedded => true | |
21
1d50b19beda0
work on building from source
Carl Byington <carl@five-ten-sg.com>
parents:
12
diff
changeset
|
85 host => "127.0.0.1" |
0 | 86 } |
87 } |