view logstash.conf @ 35:d5349a22907e default tip

fix license tags in spec files to be fedora compatible
author Carl Byington <carl@five-ten-sg.com>
date Wed, 25 Sep 2013 21:00:11 -0700
parents 8ed811f9a0bd
children
line wrap: on
line source

#
# the rpm install already set the following acl entries
#
# setfacl -m u:logstash:rx /var/log/httpd
# setfacl -m u:logstash:r  /var/log/messages
# setfacl -m u:logstash:r  /var/log/maillog
#
# you need to allow user logstash to read any input files specified here

input {
    file {
        type => "sendmail"
        path => "/var/log/maillog"
    }
    file {
        type => "linux-syslog"
        path => "/var/log/messages"
    }
    file {
        type => "apache-access"
        path => "/var/log/httpd/*access*_log"
    }
    file {
        type => "apache-error"
        path => "/var/log/httpd/*error*_log"
    }
}

filter {
    if [type] == "sendmail" {
        grok {
            patterns_dir    => "/var/lib/logstash/data/patterns"
            match           => [ "message", "%{DNSBL}|%{SENDMAIL}" ]
        }
        grep {
            match           => [ "program", "sendmail" ]
        }
        grep {
            match           => [ "message", "(M|m)ilter" ]
            negate          => true
        }
        date {
            # get the date from the actual syslog message
            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
        }
    }

    if [type] == "linux-syslog" {
        grok {
            match           => [ "message", "%{SYSLOGBASE}" ]
        }
        date {
            # get the date from the actual syslog message
            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
        }
    }

    if [type] == "apache-access" {
        grok {
            match           => [ "message", "%{COMBINEDAPACHELOG}" ]
        }
        date {
            # Try to pull the timestamp from the 'timestamp' field (parsed above with
            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
    }

    if [type] == "apache-error" {
        grok {
            patterns_dir    => "/var/lib/logstash/data/patterns"
            match           => [ "message", "%{APACHE_ERROR_LOG}" ]
        }
        date {
            # Try to pull the timestamp from the 'timestamp' field (parsed above with
            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        }
    }
}

output {
    elasticsearch {
        embedded => true
        host     => "127.0.0.1"
    }
}