view logstash.conf @ 19:729f36e68da8 unbundled-1.1.9-working

work on building from source
author Carl Byington <carl@five-ten-sg.com>
date Wed, 17 Apr 2013 11:48:04 -0700
parents 567e51f1f5e7
children 1d50b19beda0
line wrap: on
line source

#
# the rpm install already set the following acl entries
#
# setfacl -m u:logstash:rx /var/log/httpd
# setfacl -m u:logstash:r  /var/log/messages
# setfacl -m u:logstash:r  /var/log/maillog
#
# you need to allow user logstash to read any input files specified here

input {
    file {
        type => "sendmail"
        path => "/var/log/maillog"
    }
    file {
        type => "linux-syslog"
        path => "/var/log/messages"
    }
    file {
        type => "apache-access"
        path => "/var/log/httpd/*access*_log"
    }
    file {
        type => "apache-error"
        path => "/var/log/httpd/*error*_log"
    }
}

filter {
    grok {
        type            => "sendmail"
        pattern         => [ "%{DNSBL}", "%{SENDMAIL}" ]
        patterns_dir    => "/var/lib/logstash/data/patterns"
    }
    grep {
        type            => "sendmail"
        match           => [ "program", "sendmail|dnsbl" ]
        drop            => true
    }
    grep {
        type            => "sendmail"
        match           => [ "program", "sendmail", "message", "^(M|m)ilter" ]
        drop            => false
        add_tag         => [ "dropper" ]
    }
    grep {
        type            => "sendmail"
        match           => [ "program", "dnsbl", "message", "." ]
        drop            => false
        add_tag         => [ "dropper" ]
    }
    grep {
        type            => "sendmail"
        tags            => [ "dropper" ]
        match           => [ "message", "." ]
        negate          => true
    }

    grok {
        type            => "linux-syslog"
        pattern         => "%{SYSLOGBASE}"
    }
    date {
        # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
        type            => "linux-syslog"
        timestamp       => ["MMM dd HH:mm:ss","MMM  d HH:mm:ss"]
    }
    grok {
        type            => "apache-access"
        pattern         => "%{COMBINEDAPACHELOG}"
    }
    date {
        # Try to pull the timestamp from the 'timestamp' field (parsed above with
        # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
        type            => "apache-access"
        timestamp       => "dd/MMM/yyyy:HH:mm:ss Z"
    }
    grok {
        type            => "apache-error"
        patterns_dir    => "/var/lib/logstash/data/patterns"
        pattern         => "%{APACHE_ERROR_LOG}"
    }
}

output {
    elasticsearch {
        embedded => true
    }
}