Mercurial > logstash

diff logstash.conf @ 34:8ed811f9a0bd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
update config files for 1.2.1 syntax changes
author Carl Byington <carl@five-ten-sg.com>
date Wed, 25 Sep 2013 15:09:22 -0700
parents 1d50b19beda0
children
line wrap: on
line diff
--- a/logstash.conf	Mon Sep 23 11:50:21 2013 -0700
+++ b/logstash.conf	Wed Sep 25 15:09:22 2013 -0700
@@ -27,58 +27,55 @@
 }
 
 filter {
-    grok {
-        type            => "sendmail"
-        pattern         => [ "%{DNSBL}", "%{SENDMAIL}" ]
-        patterns_dir    => "/var/lib/logstash/data/patterns"
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "sendmail|dnsbl" ]
-        drop            => true
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "sendmail", "message", "^(M|m)ilter" ]
-        drop            => false
-        add_tag         => [ "dropper" ]
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "dnsbl", "message", "." ]
-        drop            => false
-        add_tag         => [ "dropper" ]
-    }
-    grep {
-        type            => "sendmail"
-        tags            => [ "dropper" ]
-        match           => [ "message", "." ]
-        negate          => true
+    if [type] == "sendmail" {
+        grok {
+            patterns_dir    => "/var/lib/logstash/data/patterns"
+            match           => [ "message", "%{DNSBL}|%{SENDMAIL}" ]
+        }
+        grep {
+            match           => [ "program", "sendmail" ]
+        }
+        grep {
+            match           => [ "message", "(M|m)ilter" ]
+            negate          => true
+        }
+        date {
+            # get the date from the actual syslog message
+            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+        }
     }
 
-    grok {
-        type            => "linux-syslog"
-        pattern         => "%{SYSLOGBASE}"
-    }
-    date {
-        # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
-        type            => "linux-syslog"
-        match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+    if [type] == "linux-syslog" {
+        grok {
+            match           => [ "message", "%{SYSLOGBASE}" ]
+        }
+        date {
+            # get the date from the actual syslog message
+            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+        }
     }
-    grok {
-        type            => "apache-access"
-        pattern         => "%{COMBINEDAPACHELOG}"
+
+    if [type] == "apache-access" {
+        grok {
+            match           => [ "message", "%{COMBINEDAPACHELOG}" ]
+        }
+        date {
+            # Try to pull the timestamp from the 'timestamp' field (parsed above with
+            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
+            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
+        }
     }
-    date {
-        # Try to pull the timestamp from the 'timestamp' field (parsed above with
-        # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
-        type            => "apache-access"
-        match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
-    }
-    grok {
-        type            => "apache-error"
-        patterns_dir    => "/var/lib/logstash/data/patterns"
-        pattern         => "%{APACHE_ERROR_LOG}"
+
+    if [type] == "apache-error" {
+        grok {
+            patterns_dir    => "/var/lib/logstash/data/patterns"
+            match           => [ "message", "%{APACHE_ERROR_LOG}" ]
+        }
+        date {
+            # Try to pull the timestamp from the 'timestamp' field (parsed above with
+            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
+            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
+        }
     }
 }