Mercurial > logstash
comparison logstash.conf @ 34:8ed811f9a0bd
update config files for 1.2.1 syntax changes
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 25 Sep 2013 15:09:22 -0700 |
parents | 1d50b19beda0 |
children |
comparison
equal
deleted
inserted
replaced
33:0faebb0b0fa4 | 34:8ed811f9a0bd |
---|---|
25 path => "/var/log/httpd/*error*_log" | 25 path => "/var/log/httpd/*error*_log" |
26 } | 26 } |
27 } | 27 } |
28 | 28 |
29 filter { | 29 filter { |
30 grok { | 30 if [type] == "sendmail" { |
31 type => "sendmail" | 31 grok { |
32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] | 32 patterns_dir => "/var/lib/logstash/data/patterns" |
33 patterns_dir => "/var/lib/logstash/data/patterns" | 33 match => [ "message", "%{DNSBL}|%{SENDMAIL}" ] |
34 } | 34 } |
35 grep { | 35 grep { |
36 type => "sendmail" | 36 match => [ "program", "sendmail" ] |
37 match => [ "program", "sendmail|dnsbl" ] | 37 } |
38 drop => true | 38 grep { |
39 } | 39 match => [ "message", "(M|m)ilter" ] |
40 grep { | 40 negate => true |
41 type => "sendmail" | 41 } |
42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] | 42 date { |
43 drop => false | 43 # get the date from the actual syslog message |
44 add_tag => [ "dropper" ] | 44 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] |
45 } | 45 } |
46 grep { | |
47 type => "sendmail" | |
48 match => [ "program", "dnsbl", "message", "." ] | |
49 drop => false | |
50 add_tag => [ "dropper" ] | |
51 } | |
52 grep { | |
53 type => "sendmail" | |
54 tags => [ "dropper" ] | |
55 match => [ "message", "." ] | |
56 negate => true | |
57 } | 46 } |
58 | 47 |
59 grok { | 48 if [type] == "linux-syslog" { |
60 type => "linux-syslog" | 49 grok { |
61 pattern => "%{SYSLOGBASE}" | 50 match => [ "message", "%{SYSLOGBASE}" ] |
51 } | |
52 date { | |
53 # get the date from the actual syslog message | |
54 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] | |
55 } | |
62 } | 56 } |
63 date { | 57 |
64 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | 58 if [type] == "apache-access" { |
65 type => "linux-syslog" | 59 grok { |
66 match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] | 60 match => [ "message", "%{COMBINEDAPACHELOG}" ] |
61 } | |
62 date { | |
63 # Try to pull the timestamp from the 'timestamp' field (parsed above with | |
64 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | |
65 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] | |
66 } | |
67 } | 67 } |
68 grok { | 68 |
69 type => "apache-access" | 69 if [type] == "apache-error" { |
70 pattern => "%{COMBINEDAPACHELOG}" | 70 grok { |
71 } | 71 patterns_dir => "/var/lib/logstash/data/patterns" |
72 date { | 72 match => [ "message", "%{APACHE_ERROR_LOG}" ] |
73 # Try to pull the timestamp from the 'timestamp' field (parsed above with | 73 } |
74 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | 74 date { |
75 type => "apache-access" | 75 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
76 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] | 76 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
77 } | 77 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] |
78 grok { | 78 } |
79 type => "apache-error" | |
80 patterns_dir => "/var/lib/logstash/data/patterns" | |
81 pattern => "%{APACHE_ERROR_LOG}" | |
82 } | 79 } |
83 } | 80 } |
84 | 81 |
85 output { | 82 output { |
86 elasticsearch { | 83 elasticsearch { |