Mercurial > logstash
comparison logstash.conf @ 1:59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Fri, 01 Mar 2013 18:40:11 -0800 |
parents | df4952a2fb06 |
children | 796ac0b50dbf |
comparison
equal
deleted
inserted
replaced
0:df4952a2fb06 | 1:59fe08a2fcbe |
---|---|
14 } | 14 } |
15 file { | 15 file { |
16 type => "linux-syslog" | 16 type => "linux-syslog" |
17 path => "/var/log/messages" | 17 path => "/var/log/messages" |
18 } | 18 } |
19 # file { | 19 file { |
20 # type => "apache-access" | 20 type => "apache-access" |
21 # path => "/var/log/httpd/*access*_log" | 21 path => "/var/log/httpd/*access*_log" |
22 # } | 22 } |
23 # file { | 23 file { |
24 # type => "apache-error" | 24 type => "apache-error" |
25 # path => "/var/log/httpd/*error*_log" | 25 path => "/var/log/httpd/*error*_log" |
26 # } | 26 } |
27 } | 27 } |
28 | 28 |
29 filter { | 29 filter { |
30 grok { | 30 grok { |
31 type => "sendmail" | 31 type => "sendmail" |
35 | 35 |
36 grok { | 36 grok { |
37 type => "linux-syslog" | 37 type => "linux-syslog" |
38 pattern => "%{SYSLOGBASE}" | 38 pattern => "%{SYSLOGBASE}" |
39 } | 39 } |
40 # date { | 40 date { |
41 # # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | 41 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} |
42 # type => "linux-syslog" | 42 type => "linux-syslog" |
43 # timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] | 43 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] |
44 # } | 44 } |
45 | |
46 grok { | 45 grok { |
47 type => "apache-access" | 46 type => "apache-access" |
48 pattern => "%{COMBINEDAPACHELOG}" | 47 pattern => "%{COMBINEDAPACHELOG}" |
49 } | 48 } |
50 date { | 49 date { |
51 type => "apache-access" | 50 type => "apache-access" |
52 # Try to pull the timestamp from the 'timestamp' field (parsed above with | 51 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
53 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | 52 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
54 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" | 53 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" |
55 } | 54 } |
56 | |
57 grok { | 55 grok { |
58 type => "apache-error" | 56 type => "apache-error" |
59 patterns_dir => "/var/lib/logstash/data/patterns" | 57 patterns_dir => "/var/lib/logstash/data/patterns" |
60 pattern => "%{APACHE_ERROR_LOG}" | 58 pattern => "%{APACHE_ERROR_LOG}" |
61 } | 59 } |