Mercurial > logstash
comparison logstash.conf @ 8:97712c48f7fe
grep negate does not behave as expected
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Fri, 22 Mar 2013 11:40:47 -0700 |
| parents | 6b7beb807d14 |
| children | 567e51f1f5e7 |
comparison
equal
deleted
inserted
replaced
| 7:e4ba03940224 | 8:97712c48f7fe |
|---|---|
| 26 } | 26 } |
| 27 } | 27 } |
| 28 | 28 |
| 29 filter { | 29 filter { |
| 30 grok { | 30 grok { |
| 31 type => "sendmail" | 31 type => "sendmail" |
| 32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] | 32 pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] |
| 33 patterns_dir => "/var/lib/logstash/data/patterns" | 33 patterns_dir => "/var/lib/logstash/data/patterns" |
| 34 } | 34 } |
| 35 grep { | 35 grep { |
| 36 type => "sendmail" | 36 type => "sendmail" |
| 37 match => [ "program", "sendmail|dnsbl" ] | 37 match => [ "program", "sendmail|dnsbl" ] |
| 38 drop => true | |
| 38 } | 39 } |
| 39 grep { | 40 grep { |
| 40 type => "sendmail" | 41 type => "sendmail" |
| 41 negate => true | 42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] |
| 42 match => [ "program", "sendmail", "message", "^(M|m)ilter" ] | 43 drop => false |
| 44 add_tag => "dropper" | |
| 45 } | |
| 46 grep { | |
| 47 type => "sendmail" | |
| 48 exclude_tags => "dropper" | |
| 49 drop => true | |
| 43 } | 50 } |
| 44 | 51 |
| 45 grok { | 52 grok { |
| 46 type => "linux-syslog" | 53 type => "linux-syslog" |
| 47 pattern => "%{SYSLOGBASE}" | 54 pattern => "%{SYSLOGBASE}" |
| 48 } | 55 } |
| 49 date { | 56 date { |
| 50 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | 57 # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} |
| 51 type => "linux-syslog" | 58 type => "linux-syslog" |
| 52 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] | 59 timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] |
| 53 } | 60 } |
| 54 grok { | 61 grok { |
| 55 type => "apache-access" | 62 type => "apache-access" |
| 56 pattern => "%{COMBINEDAPACHELOG}" | 63 pattern => "%{COMBINEDAPACHELOG}" |
| 57 } | 64 } |
| 58 date { | 65 date { |
| 59 type => "apache-access" | |
| 60 # Try to pull the timestamp from the 'timestamp' field (parsed above with | 66 # Try to pull the timestamp from the 'timestamp' field (parsed above with |
| 61 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" | 67 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" |
| 62 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" | 68 type => "apache-access" |
| 69 timestamp => "dd/MMM/yyyy:HH:mm:ss Z" | |
| 63 } | 70 } |
| 64 grok { | 71 grok { |
| 65 type => "apache-error" | 72 type => "apache-error" |
| 66 patterns_dir => "/var/lib/logstash/data/patterns" | 73 patterns_dir => "/var/lib/logstash/data/patterns" |
| 67 pattern => "%{APACHE_ERROR_LOG}" | 74 pattern => "%{APACHE_ERROR_LOG}" |
| 68 } | 75 } |
| 69 } | 76 } |
| 70 | 77 |
| 71 output { | 78 output { |
| 72 elasticsearch { | 79 elasticsearch { |