# HG changeset patch # User Carl Byington # Date 1362192011 28800 # Node ID 59fe08a2fcbe4047c6dbda338990e1bc0dc20d33 # Parent df4952a2fb06d74b774b4fc934659d8ffdaa3b69 switch to flatjar.jar; fix sendmail patterns diff -r df4952a2fb06 -r 59fe08a2fcbe logstash.conf --- a/logstash.conf Fri Mar 01 14:58:09 2013 -0800 +++ b/logstash.conf Fri Mar 01 18:40:11 2013 -0800 @@ -16,14 +16,14 @@ type => "linux-syslog" path => "/var/log/messages" } -# file { -# type => "apache-access" -# path => "/var/log/httpd/*access*_log" -# } -# file { -# type => "apache-error" -# path => "/var/log/httpd/*error*_log" -# } + file { + type => "apache-access" + path => "/var/log/httpd/*access*_log" + } + file { + type => "apache-error" + path => "/var/log/httpd/*error*_log" + } } filter { @@ -37,12 +37,11 @@ type => "linux-syslog" pattern => "%{SYSLOGBASE}" } -# date { -# # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} -# type => "linux-syslog" -# timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] -# } - + date { + # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} + type => "linux-syslog" + timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] + } grok { type => "apache-access" pattern => "%{COMBINEDAPACHELOG}" @@ -52,8 +51,7 @@ # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" timestamp => "dd/MMM/yyyy:HH:mm:ss Z" - } - + } grok { type => "apache-error" patterns_dir => "/var/lib/logstash/data/patterns" diff -r df4952a2fb06 -r 59fe08a2fcbe logstash.spec --- a/logstash.spec Fri Mar 01 14:58:09 2013 -0800 +++ b/logstash.spec Fri Mar 01 18:40:11 2013 -0800 @@ -11,7 +11,8 @@ Group: Applications/Productivity URL: http://logstash.net/ BuildArch: noarch -Source0: https://logstash.objects.dreamhost.com/release/%{name}-%{version}-monolithic.jar +#Source0: https://logstash.objects.dreamhost.com/release/%{name}-%{version}-monolithic.jar +Source0: http://logstash.objects.dreamhost.com/release/%{name}-%{version}-flatjar.jar Source1: logstash.rc Source2: %{name}.conf Source3: apache.pattern @@ -46,7 +47,8 @@ install -D -m 640 apache.pattern $RPM_BUILD_ROOT/var/lib/%{name}/data/patterns/apache install -D -m 640 sendmail.pattern $RPM_BUILD_ROOT/var/lib/%{name}/data/patterns/sendmail install -D -m 755 %{name}.rc $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name} -install -D -m 750 %{name}-%{version}-monolithic.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar +#nstall -D -m 750 %{name}-%{version}-monolithic.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar +install -D -m 750 %{name}-%{version}-flatjar.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar install -D -m 640 %{name}.conf $RPM_BUILD_ROOT/etc/%{name}/%{name}.conf diff -r df4952a2fb06 -r 59fe08a2fcbe sendmail.pattern --- a/sendmail.pattern Fri Mar 01 14:58:09 2013 -0800 +++ b/sendmail.pattern Fri Mar 01 18:40:11 2013 -0800 @@ -1,8 +1,10 @@ # https://raw.github.com/augieschwer/grok-patterns/master/sendmail.grok # +LOGIN [.a-zA-Z0-9_-]+ EMAIL %{LOGIN}@%{IPORHOST} DSN [0-9][.][0-9][.][0-9] +QID [A-za-z0-9]{14} # Match a relay that gives us a QID in the return status. SENDMAIL_TO_1 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay} \[%{IP}\], dsn=%{DSN:dsn}, stat=%{DATA:status} \(%{QID:qid} %{GREEDYDATA:status_message}\)