Mercurial > logstash

annotate logstash.conf @ 35:d5349a22907e default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix license tags in spec files to be fedora compatible
author Carl Byington <carl@five-ten-sg.com>
date Wed, 25 Sep 2013 21:00:11 -0700
parents 8ed811f9a0bd
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 # the rpm install already set the following acl entries
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 # setfacl -m u:logstash:rx /var/log/httpd
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5 # setfacl -m u:logstash:r /var/log/messages
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 # setfacl -m u:logstash:r /var/log/maillog
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 #
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 # you need to allow user logstash to read any input files specified here
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10 input {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 type => "sendmail"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 path => "/var/log/maillog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 file {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16 type => "linux-syslog"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17 path => "/var/log/messages"
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
19 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
20 type => "apache-access"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
21 path => "/var/log/httpd/*access*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
22 }
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
23 file {
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
24 type => "apache-error"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
25 path => "/var/log/httpd/*error*_log"
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
26 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 filter {
34
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
30 if [type] == "sendmail" {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
31 grok {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
32 patterns_dir => "/var/lib/logstash/data/patterns"
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
33 match => [ "message", "%{DNSBL}|%{SENDMAIL}" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
34 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
35 grep {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
36 match => [ "program", "sendmail" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
37 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
38 grep {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
39 match => [ "message", "(M|m)ilter" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
40 negate => true
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
41 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
42 date {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
43 # get the date from the actual syslog message
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
44 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
45 }
3
796ac0b50dbf add cron.daily index cleaning
Carl Byington <carl@five-ten-sg.com>
parents: 1
diff changeset
46 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
47
34
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
48 if [type] == "linux-syslog" {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
49 grok {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
50 match => [ "message", "%{SYSLOGBASE}" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
51 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
52 date {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
53 # get the date from the actual syslog message
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
54 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
55 }
1
59fe08a2fcbe switch to flatjar.jar; fix sendmail patterns
Carl Byington <carl@five-ten-sg.com>
parents: 0
diff changeset
56 }
34
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
57
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
58 if [type] == "apache-access" {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
59 grok {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
60 match => [ "message", "%{COMBINEDAPACHELOG}" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
61 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
62 date {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
63 # Try to pull the timestamp from the 'timestamp' field (parsed above with
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
64 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
65 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
66 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
67 }
34
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
68
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
69 if [type] == "apache-error" {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
70 grok {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
71 patterns_dir => "/var/lib/logstash/data/patterns"
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
72 match => [ "message", "%{APACHE_ERROR_LOG}" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
73 }
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
74 date {
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
75 # Try to pull the timestamp from the 'timestamp' field (parsed above with
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
76 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
77 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
8ed811f9a0bd update config files for 1.2.1 syntax changes
Carl Byington <carl@five-ten-sg.com>
parents: 21
diff changeset
78 }
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
79 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
80 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
81
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 output {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
83 elasticsearch {
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
84 embedded => true
21
1d50b19beda0 work on building from source
Carl Byington <carl@five-ten-sg.com>
parents: 12
diff changeset
85 host => "127.0.0.1"
0
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
86 }
df4952a2fb06 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
87 }