Mercurial > logstash
comparison logstash.conf @ 34:8ed811f9a0bd
update config files for 1.2.1 syntax changes
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Wed, 25 Sep 2013 15:09:22 -0700 |
| parents | 1d50b19beda0 |
| children |
comparison
equal
deleted
inserted
replaced
| 33:0faebb0b0fa4 | 34:8ed811f9a0bd |
|---|---|
| 25 path => "/var/log/httpd/*error*_log" | 25 path => "/var/log/httpd/*error*_log" |
| 26 } | 26 } |
| 27 } | 27 } |
| 28 | 28 |
| 29 filter { | 29 filter { |
| 30 grok { | 30 if [type] == "sendmail" { |
| 31 type => "sendmail" | 31 grok { |
| 32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] | 32 patterns_dir => "/var/lib/logstash/data/patterns" |
| 33 patterns_dir => "/var/lib/logstash/data/patterns" | 33 match => [ "message", "%{DNSBL}|%{SENDMAIL}" ] |
| 34 } | 34 } |
| 35 grep { | 35 grep { |
| 36 type => "sendmail" | 36 match => [ "program", "sendmail" ] |
| 37 match => [ "program", "sendmail|dnsbl" ] | 37 } |
| 38 drop => true | 38 grep { |
| 39 } | 39 match => [ "message", "(M|m)ilter" ] |
| 40 grep { | 40 negate => true |
| 41 type => "sendmail" | 41 } |
| 42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] | 42 date { |
| 43 drop => false | 43 # get the date from the actual syslog message |
| 44 add_tag => [ "dropper" ] | 44 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] |
| 45 } | 45 } |
| 46 grep { | |
| 47 type => "sendmail" | |
| 48 match => [ "program", "dnsbl", "message", "." ] | |
| 49 drop => false | |
| 50 add_tag => [ "dropper" ] | |
| 51 } | |
| 52 grep { | |
| 53 type => "sendmail" | |
| 54 tags => [ "dropper" ] | |
| 55 match => [ "message", "." ] | |
| 56 negate => true | |
| 57 } | 46 } |
| 58 | 47 |
| 59 grok { | 48 if [type] == "linux-syslog" { |
| 60 type => "linux-syslog" | 49 grok { |
| 61 pattern => "%{SYSLOGBASE}" | 50 match => [ "message", "%{SYSLOGBASE}" ] |
| 51 } | |
| 52 date { | |
| 53 # get the date from the actual syslog message | |
| 54 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] | |
| 55 } | |
| 62 } | 56 } |
| 63 date { | 57 |
| 64 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | 58 if [type] == "apache-access" { |
| 65 type => "linux-syslog" | 59 grok { |
| 66 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] | 60 match => [ "message", "%{COMBINEDAPACHELOG}" ] |
| 61 } | |
| 62 date { | |
| 63 # Try to pull the timestamp from the 'timestamp' field (parsed above with | |
| 64 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | |
| 65 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] | |
| 66 } | |
| 67 } | 67 } |
| 68 grok { | 68 |
| 69 type => "apache-access" | 69 if [type] == "apache-error" { |
| 70 pattern => "%{COMBINEDAPACHELOG}" | 70 grok { |
| 71 } | 71 patterns_dir => "/var/lib/logstash/data/patterns" |
| 72 date { | 72 match => [ "message", "%{APACHE_ERROR_LOG}" ] |
| 73 # Try to pull the timestamp from the 'timestamp' field (parsed above with | 73 } |
| 74 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | 74 date { |
| 75 type => "apache-access" | 75 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
| 76 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] | 76 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
| 77 } | 77 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] |
| 78 grok { | 78 } |
| 79 type => "apache-error" | |
| 80 patterns_dir => "/var/lib/logstash/data/patterns" | |
| 81 pattern => "%{APACHE_ERROR_LOG}" | |
| 82 } | 79 } |
| 83 } | 80 } |
| 84 | 81 |
| 85 output { | 82 output { |
| 86 elasticsearch { | 83 elasticsearch { |