Mercurial > logstash

comparison logstash.conf @ 0:df4952a2fb06

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial version
author Carl Byington <carl@five-ten-sg.com>
date Fri, 01 Mar 2013 14:58:09 -0800
parents
children 59fe08a2fcbe
comparison
equal deleted inserted replaced
-1:000000000000 0:df4952a2fb06
1 #
2 # the rpm install already set the following acl entries
3 #
4 # setfacl -m u:logstash:rx /var/log/httpd
5 # setfacl -m u:logstash:r /var/log/messages
6 # setfacl -m u:logstash:r /var/log/maillog
7 #
8 # you need to allow user logstash to read any input files specified here
9
10 input {
11 file {
12 type => "sendmail"
13 path => "/var/log/maillog"
14 }
15 file {
16 type => "linux-syslog"
17 path => "/var/log/messages"
18 }
19 # file {
20 # type => "apache-access"
21 # path => "/var/log/httpd/*access*_log"
22 # }
23 # file {
24 # type => "apache-error"
25 # path => "/var/log/httpd/*error*_log"
26 # }
27 }
28
29 filter {
30 grok {
31 type => "sendmail"
32 pattern => "%{SENDMAIL}"
33 patterns_dir => "/var/lib/logstash/data/patterns"
34 }
35
36 grok {
37 type => "linux-syslog"
38 pattern => "%{SYSLOGBASE}"
39 }
40 # date {
41 # # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
42 # type => "linux-syslog"
43 # timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
44 # }
45
46 grok {
47 type => "apache-access"
48 pattern => "%{COMBINEDAPACHELOG}"
49 }
50 date {
51 type => "apache-access"
52 # Try to pull the timestamp from the 'timestamp' field (parsed above with
53 # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
54 timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
55 }
56
57 grok {
58 type => "apache-error"
59 patterns_dir => "/var/lib/logstash/data/patterns"
60 pattern => "%{APACHE_ERROR_LOG}"
61 }
62 }
63
64 output {
65 elasticsearch {
66 embedded => true
67 }
68 }