Mercurial > logstash
comparison logstash.conf @ 1:59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Fri, 01 Mar 2013 18:40:11 -0800 |
| parents | df4952a2fb06 |
| children | 796ac0b50dbf |
comparison
equal
deleted
inserted
replaced
| 0:df4952a2fb06 | 1:59fe08a2fcbe |
|---|---|
| 14 } | 14 } |
| 15 file { | 15 file { |
| 16 type => "linux-syslog" | 16 type => "linux-syslog" |
| 17 path => "/var/log/messages" | 17 path => "/var/log/messages" |
| 18 } | 18 } |
| 19 # file { | 19 file { |
| 20 # type => "apache-access" | 20 type => "apache-access" |
| 21 # path => "/var/log/httpd/*access*_log" | 21 path => "/var/log/httpd/*access*_log" |
| 22 # } | 22 } |
| 23 # file { | 23 file { |
| 24 # type => "apache-error" | 24 type => "apache-error" |
| 25 # path => "/var/log/httpd/*error*_log" | 25 path => "/var/log/httpd/*error*_log" |
| 26 # } | 26 } |
| 27 } | 27 } |
| 28 | 28 |
| 29 filter { | 29 filter { |
| 30 grok { | 30 grok { |
| 31 type => "sendmail" | 31 type => "sendmail" |
| 35 | 35 |
| 36 grok { | 36 grok { |
| 37 type => "linux-syslog" | 37 type => "linux-syslog" |
| 38 pattern => "%{SYSLOGBASE}" | 38 pattern => "%{SYSLOGBASE}" |
| 39 } | 39 } |
| 40 # date { | 40 date { |
| 41 # # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | 41 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} |
| 42 # type => "linux-syslog" | 42 type => "linux-syslog" |
| 43 # timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] | 43 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] |
| 44 # } | 44 } |
| 45 | |
| 46 grok { | 45 grok { |
| 47 type => "apache-access" | 46 type => "apache-access" |
| 48 pattern => "%{COMBINEDAPACHELOG}" | 47 pattern => "%{COMBINEDAPACHELOG}" |
| 49 } | 48 } |
| 50 date { | 49 date { |
| 51 type => "apache-access" | 50 type => "apache-access" |
| 52 # Try to pull the timestamp from the 'timestamp' field (parsed above with | 51 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
| 53 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | 52 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
| 54 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" | 53 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" |
| 55 } | 54 } |
| 56 | |
| 57 grok { | 55 grok { |
| 58 type => "apache-error" | 56 type => "apache-error" |
| 59 patterns_dir => "/var/lib/logstash/data/patterns" | 57 patterns_dir => "/var/lib/logstash/data/patterns" |
| 60 pattern => "%{APACHE_ERROR_LOG}" | 58 pattern => "%{APACHE_ERROR_LOG}" |
| 61 } | 59 } |