comparison logstash.conf @ 8:97712c48f7fe

grep negate does not behave as expected
author Carl Byington <carl@five-ten-sg.com>
date Fri, 22 Mar 2013 11:40:47 -0700
parents 6b7beb807d14
children 567e51f1f5e7
comparison
equal deleted inserted replaced
7:e4ba03940224 8:97712c48f7fe
26 } 26 }
27 } 27 }
28 28
29 filter { 29 filter {
30 grok { 30 grok {
31 type => "sendmail" 31 type => "sendmail"
32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] 32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
33 patterns_dir => "/var/lib/logstash/data/patterns" 33 patterns_dir => "/var/lib/logstash/data/patterns"
34 } 34 }
35 grep { 35 grep {
36 type => "sendmail" 36 type => "sendmail"
37 match => [ "program", "sendmail|dnsbl" ] 37 match => [ "program", "sendmail|dnsbl" ]
38 drop => true
38 } 39 }
39 grep { 40 grep {
40 type => "sendmail" 41 type => "sendmail"
41 negate => true 42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ]
42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] 43 drop => false
44 add_tag => "dropper"
45 }
46 grep {
47 type => "sendmail"
48 exclude_tags => "dropper"
49 drop => true
43 } 50 }
44 51
45 grok { 52 grok {
46 type => "linux-syslog" 53 type => "linux-syslog"
47 pattern => "%{SYSLOGBASE}" 54 pattern => "%{SYSLOGBASE}"
48 } 55 }
49 date { 56 date {
50 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} 57 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
51 type => "linux-syslog" 58 type => "linux-syslog"
52 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] 59 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
53 } 60 }
54 grok { 61 grok {
55 type => "apache-access" 62 type => "apache-access"
56 pattern => "%{COMBINEDAPACHELOG}" 63 pattern => "%{COMBINEDAPACHELOG}"
57 } 64 }
58 date { 65 date {
59 type => "apache-access"
60 # Try to pull the timestamp from the 'timestamp' field (parsed above with 66 # Try to pull the timestamp from the 'timestamp' field (parsed above with
61 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" 67 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
62 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" 68 type => "apache-access"
69 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
63 } 70 }
64 grok { 71 grok {
65 type => "apache-error" 72 type => "apache-error"
66 patterns_dir => "/var/lib/logstash/data/patterns" 73 patterns_dir => "/var/lib/logstash/data/patterns"
67 pattern => "%{APACHE_ERROR_LOG}" 74 pattern => "%{APACHE_ERROR_LOG}"
68 } 75 }
69 } 76 }
70 77
71 output { 78 output {
72 elasticsearch { 79 elasticsearch {