# # the rpm install already set the following acl entries # # setfacl -m u:logstash:rx /var/log/httpd # setfacl -m u:logstash:r /var/log/messages # setfacl -m u:logstash:r /var/log/maillog # # you need to allow user logstash to read any input files specified here input { file { type => "sendmail" path => "/var/log/maillog" } file { type => "linux-syslog" path => "/var/log/messages" } file { type => "apache-access" path => "/var/log/httpd/*access*_log" } file { type => "apache-error" path => "/var/log/httpd/*error*_log" } } filter { if [type] == "sendmail" { grok { patterns_dir => "/var/lib/logstash/data/patterns" match => [ "message", "%{DNSBL}|%{SENDMAIL}" ] } grep { match => [ "program", "sendmail" ] } grep { match => [ "message", "(M|m)ilter" ] negate => true } date { # get the date from the actual syslog message match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] } } if [type] == "linux-syslog" { grok { match => [ "message", "%{SYSLOGBASE}" ] } date { # get the date from the actual syslog message match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] } } if [type] == "apache-access" { grok { match => [ "message", "%{COMBINEDAPACHELOG}" ] } date { # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } } if [type] == "apache-error" { grok { patterns_dir => "/var/lib/logstash/data/patterns" match => [ "message", "%{APACHE_ERROR_LOG}" ] } date { # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } } } output { elasticsearch { embedded => true host => "127.0.0.1" } }