Mercurial > logstash
view logstash.conf @ 33:0faebb0b0fa4
update to kibana 3, logstash 1.2.1, es 0.90.5
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Mon, 23 Sep 2013 11:50:21 -0700 |
parents | 1d50b19beda0 |
children | 8ed811f9a0bd |
line wrap: on
line source
# # the rpm install already set the following acl entries # # setfacl -m u:logstash:rx /var/log/httpd # setfacl -m u:logstash:r /var/log/messages # setfacl -m u:logstash:r /var/log/maillog # # you need to allow user logstash to read any input files specified here input { file { type => "sendmail" path => "/var/log/maillog" } file { type => "linux-syslog" path => "/var/log/messages" } file { type => "apache-access" path => "/var/log/httpd/*access*_log" } file { type => "apache-error" path => "/var/log/httpd/*error*_log" } } filter { grok { type => "sendmail" pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] patterns_dir => "/var/lib/logstash/data/patterns" } grep { type => "sendmail" match => [ "program", "sendmail|dnsbl" ] drop => true } grep { type => "sendmail" match => [ "program", "sendmail", "message", "^(M|m)ilter" ] drop => false add_tag => [ "dropper" ] } grep { type => "sendmail" match => [ "program", "dnsbl", "message", "." ] drop => false add_tag => [ "dropper" ] } grep { type => "sendmail" tags => [ "dropper" ] match => [ "message", "." ] negate => true } grok { type => "linux-syslog" pattern => "%{SYSLOGBASE}" } date { # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} type => "linux-syslog" match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] } grok { type => "apache-access" pattern => "%{COMBINEDAPACHELOG}" } date { # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" type => "apache-access" match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } grok { type => "apache-error" patterns_dir => "/var/lib/logstash/data/patterns" pattern => "%{APACHE_ERROR_LOG}" } } output { elasticsearch { embedded => true host => "127.0.0.1" } }