diff logstash.conf @ 0:df4952a2fb06

initial version
author Carl Byington <carl@five-ten-sg.com>
date Fri, 01 Mar 2013 14:58:09 -0800
parents
children 59fe08a2fcbe
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/logstash.conf	Fri Mar 01 14:58:09 2013 -0800
@@ -0,0 +1,68 @@
+#
+# the rpm install already set the following acl entries
+#
+# setfacl -m u:logstash:rx /var/log/httpd
+# setfacl -m u:logstash:r  /var/log/messages
+# setfacl -m u:logstash:r  /var/log/maillog
+#
+# you need to allow user logstash to read any input files specified here
+
+input {
+    file {
+        type => "sendmail"
+        path => "/var/log/maillog"
+    }
+    file {
+        type => "linux-syslog"
+        path => "/var/log/messages"
+    }
+#    file {
+#        type => "apache-access"
+#        path => "/var/log/httpd/*access*_log"
+#    }
+#    file {
+#        type => "apache-error"
+#        path => "/var/log/httpd/*error*_log"
+#    }
+}
+
+filter {
+    grok {
+        type => "sendmail"
+        pattern => "%{SENDMAIL}"
+        patterns_dir => "/var/lib/logstash/data/patterns"
+    }
+
+    grok {
+        type => "linux-syslog"
+        pattern => "%{SYSLOGBASE}"
+    }
+#    date {
+#        # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
+#        type => "linux-syslog"
+#        timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
+#    }
+
+    grok {
+        type => "apache-access"
+        pattern => "%{COMBINEDAPACHELOG}"
+    }
+    date {
+        type => "apache-access"
+        # Try to pull the timestamp from the 'timestamp' field (parsed above with
+        # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
+        timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
+     }
+
+    grok {
+        type => "apache-error"
+        patterns_dir => "/var/lib/logstash/data/patterns"
+        pattern => "%{APACHE_ERROR_LOG}"
+    }
+}
+
+output {
+    elasticsearch {
+        embedded => true
+    }
+}