Mercurial > logstash
view logstash.conf @ 19:729f36e68da8 unbundled-1.1.9-working
work on building from source
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 17 Apr 2013 11:48:04 -0700 |
parents | 567e51f1f5e7 |
children | 1d50b19beda0 |
line wrap: on
line source
# # the rpm install already set the following acl entries # # setfacl -m u:logstash:rx /var/log/httpd # setfacl -m u:logstash:r /var/log/messages # setfacl -m u:logstash:r /var/log/maillog # # you need to allow user logstash to read any input files specified here input { file { type => "sendmail" path => "/var/log/maillog" } file { type => "linux-syslog" path => "/var/log/messages" } file { type => "apache-access" path => "/var/log/httpd/*access*_log" } file { type => "apache-error" path => "/var/log/httpd/*error*_log" } } filter { grok { type => "sendmail" pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] patterns_dir => "/var/lib/logstash/data/patterns" } grep { type => "sendmail" match => [ "program", "sendmail|dnsbl" ] drop => true } grep { type => "sendmail" match => [ "program", "sendmail", "message", "^(M|m)ilter" ] drop => false add_tag => [ "dropper" ] } grep { type => "sendmail" match => [ "program", "dnsbl", "message", "." ] drop => false add_tag => [ "dropper" ] } grep { type => "sendmail" tags => [ "dropper" ] match => [ "message", "." ] negate => true } grok { type => "linux-syslog" pattern => "%{SYSLOGBASE}" } date { # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} type => "linux-syslog" timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] } grok { type => "apache-access" pattern => "%{COMBINEDAPACHELOG}" } date { # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" type => "apache-access" timestamp => "dd/MMM/yyyy:HH:mm:ss Z" } grok { type => "apache-error" patterns_dir => "/var/lib/logstash/data/patterns" pattern => "%{APACHE_ERROR_LOG}" } } output { elasticsearch { embedded => true } }