diff logstash.conf @ 8:97712c48f7fe

grep negate does not behave as expected
author Carl Byington <carl@five-ten-sg.com>
date Fri, 22 Mar 2013 11:40:47 -0700
parents 6b7beb807d14
children 567e51f1f5e7
line wrap: on
line diff
--- a/logstash.conf	Fri Mar 22 10:50:16 2013 -0700
+++ b/logstash.conf	Fri Mar 22 11:40:47 2013 -0700
@@ -28,43 +28,50 @@
 
 filter {
     grok {
-        type => "sendmail"
-        pattern => [ "%{DNSBL}", "%{SENDMAIL}" ]
-        patterns_dir => "/var/lib/logstash/data/patterns"
+        type            => "sendmail"
+        pattern         => [ "%{DNSBL}", "%{SENDMAIL}" ]
+        patterns_dir    => "/var/lib/logstash/data/patterns"
+    }
+    grep {
+        type            => "sendmail"
+        match           => [ "program", "sendmail|dnsbl" ]
+        drop            => true
     }
     grep {
-        type => "sendmail"
-        match => [ "program", "sendmail|dnsbl" ]
+        type            => "sendmail"
+        match           => [ "program", "sendmail", "message", "^(M|m)ilter" ]
+        drop            => false
+        add_tag         => "dropper"
     }
     grep {
-        type => "sendmail"
-        negate => true
-        match => [ "program", "sendmail", "message", "^(M|m)ilter" ]
+        type            => "sendmail"
+        exclude_tags    => "dropper"
+        drop            => true
     }
 
     grok {
-        type => "linux-syslog"
-        pattern => "%{SYSLOGBASE}"
+        type            => "linux-syslog"
+        pattern         => "%{SYSLOGBASE}"
     }
     date {
         # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
-        type => "linux-syslog"
-        timestamp => ["MMM dd HH:mm:ss","MMM  d HH:mm:ss"]
+        type            => "linux-syslog"
+        timestamp       => ["MMM dd HH:mm:ss","MMM  d HH:mm:ss"]
     }
     grok {
-        type => "apache-access"
-        pattern => "%{COMBINEDAPACHELOG}"
+        type            => "apache-access"
+        pattern         => "%{COMBINEDAPACHELOG}"
     }
     date {
-        type => "apache-access"
         # Try to pull the timestamp from the 'timestamp' field (parsed above with
         # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
-        timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
+        type            => "apache-access"
+        timestamp       => "dd/MMM/yyyy:HH:mm:ss Z"
     }
     grok {
-        type => "apache-error"
-        patterns_dir => "/var/lib/logstash/data/patterns"
-        pattern => "%{APACHE_ERROR_LOG}"
+        type            => "apache-error"
+        patterns_dir    => "/var/lib/logstash/data/patterns"
+        pattern         => "%{APACHE_ERROR_LOG}"
     }
 }