logstash: logstash.conf annotate

annotate logstash.conf @ 0:df4952a2fb06

initial version

author	Carl Byington <carl@five-ten-sg.com>
date	Fri, 01 Mar 2013 14:58:09 -0800
parents
children	59fe08a2fcbe

rev	line source
0 df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	1 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	2 # the rpm install already set the following acl entries
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	3 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	7 #
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	9
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	10 input {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	11 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	12 type => "sendmail"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	13 path => "/var/log/maillog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	14 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	15 file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	16 type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	17 path => "/var/log/messages"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	18 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	19 # file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	20 # type => "apache-access"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	21 # path => "/var/log/httpd/access_log"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	22 # }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	23 # file {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	24 # type => "apache-error"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	25 # path => "/var/log/httpd/error_log"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	26 # }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	27 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	28
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	29 filter {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	30 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	31 type => "sendmail"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	32 pattern => "%{SENDMAIL}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	33 patterns_dir => "/var/lib/logstash/data/patterns"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	34 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	35
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	36 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	37 type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	38 pattern => "%{SYSLOGBASE}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	39 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	40 # date {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	41 # # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	42 # type => "linux-syslog"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	43 # timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	44 # }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	45
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	46 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	47 type => "apache-access"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	48 pattern => "%{COMBINEDAPACHELOG}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	49 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	50 date {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	51 type => "apache-access"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	52 # Try to pull the timestamp from the 'timestamp' field (parsed above with
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	53 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	54 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	55 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	56
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	57 grok {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	58 type => "apache-error"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	59 patterns_dir => "/var/lib/logstash/data/patterns"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	60 pattern => "%{APACHE_ERROR_LOG}"
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	61 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	62 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	63
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	64 output {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	65 elasticsearch {
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	66 embedded => true
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	67 }
df4952a2fb06 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	68 }

Mercurial > logstash

annotate logstash.conf @ 0:df4952a2fb06