# HG changeset patch # User Carl Byington # Date 1380146962 25200 # Node ID 8ed811f9a0bd043a4081d9c0ef31ab6bd47856b3 # Parent 0faebb0b0fa4ffca752d4cae7662ce5350459573 update config files for 1.2.1 syntax changes diff -r 0faebb0b0fa4 -r 8ed811f9a0bd Makefile --- a/Makefile Mon Sep 23 11:50:21 2013 -0700 +++ b/Makefile Wed Sep 25 15:09:22 2013 -0700 @@ -48,4 +48,4 @@ rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild GraphTastic-client-0.0.0-0$(dist).src.rpm rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild elasticsearch-$(hv)-0$(dist).src.rpm rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild rubygem-tzinfo*src.rpm - rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild logstash-$(gv)-0$(dist).src.rpm + rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild logstash-$(gv)-1$(dist).src.rpm diff -r 0faebb0b0fa4 -r 8ed811f9a0bd logstash.conf --- a/logstash.conf Mon Sep 23 11:50:21 2013 -0700 +++ b/logstash.conf Wed Sep 25 15:09:22 2013 -0700 @@ -27,58 +27,55 @@ } filter { - grok { - type => "sendmail" - pattern => [ "%{DNSBL}", "%{SENDMAIL}" ] - patterns_dir => "/var/lib/logstash/data/patterns" - } - grep { - type => "sendmail" - match => [ "program", "sendmail|dnsbl" ] - drop => true - } - grep { - type => "sendmail" - match => [ "program", "sendmail", "message", "^(M|m)ilter" ] - drop => false - add_tag => [ "dropper" ] - } - grep { - type => "sendmail" - match => [ "program", "dnsbl", "message", "." ] - drop => false - add_tag => [ "dropper" ] - } - grep { - type => "sendmail" - tags => [ "dropper" ] - match => [ "message", "." ] - negate => true + if [type] == "sendmail" { + grok { + patterns_dir => "/var/lib/logstash/data/patterns" + match => [ "message", "%{DNSBL}|%{SENDMAIL}" ] + } + grep { + match => [ "program", "sendmail" ] + } + grep { + match => [ "message", "(M|m)ilter" ] + negate => true + } + date { + # get the date from the actual syslog message + match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] + } } - grok { - type => "linux-syslog" - pattern => "%{SYSLOGBASE}" - } - date { - # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} - type => "linux-syslog" - match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] + if [type] == "linux-syslog" { + grok { + match => [ "message", "%{SYSLOGBASE}" ] + } + date { + # get the date from the actual syslog message + match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ] + } } - grok { - type => "apache-access" - pattern => "%{COMBINEDAPACHELOG}" + + if [type] == "apache-access" { + grok { + match => [ "message", "%{COMBINEDAPACHELOG}" ] + } + date { + # Try to pull the timestamp from the 'timestamp' field (parsed above with + # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" + match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] + } } - date { - # Try to pull the timestamp from the 'timestamp' field (parsed above with - # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" - type => "apache-access" - match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] - } - grok { - type => "apache-error" - patterns_dir => "/var/lib/logstash/data/patterns" - pattern => "%{APACHE_ERROR_LOG}" + + if [type] == "apache-error" { + grok { + patterns_dir => "/var/lib/logstash/data/patterns" + match => [ "message", "%{APACHE_ERROR_LOG}" ] + } + date { + # Try to pull the timestamp from the 'timestamp' field (parsed above with + # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" + match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] + } } } diff -r 0faebb0b0fa4 -r 8ed811f9a0bd logstash.rc --- a/logstash.rc Mon Sep 23 11:50:21 2013 -0700 +++ b/logstash.rc Wed Sep 25 15:09:22 2013 -0700 @@ -28,7 +28,7 @@ CONFIGFILE=/etc/logstash/logstash.conf LOGFILE=/var/log/logstash/logstash.log JARNAME=/usr/share/java/logstash.jar -ARGS="$JAVAARGS -jar $JARNAME agent --config $CONFIGFILE --log $LOGFILE $AGENTARGS -- $WEBARGS" +ARGS="$JAVAARGS -jar $JARNAME agent --config $CONFIGFILE --log $LOGFILE $AGENTARGS" PIDFILE=/var/run/logstash.pid base=logstash @@ -47,7 +47,7 @@ cd $HOME pid=$( exec sudo -u logstash /bin/bash - <&2 & + $JAVA $ARGS /dev/null 2>/dev/null & echo \$! EOF ) diff -r 0faebb0b0fa4 -r 8ed811f9a0bd logstash.spec --- a/logstash.spec Mon Sep 23 11:50:21 2013 -0700 +++ b/logstash.spec Wed Sep 25 15:09:22 2013 -0700 @@ -4,7 +4,7 @@ Summary: logstash is a tool for managing events and logs. Name: logstash Version: 1.2.1 -Release: 0%{?dist} +Release: 1%{?dist} Group: System Environment/Daemons License: Apache 2.0 @@ -117,6 +117,9 @@ %changelog +* Sun Sep 22 2013 - 1.2.1-1 +- update config files for 1.2.1 version, some syntax changed + * Sun Sep 22 2013 - 1.2.1-0 - update to newer logstash diff -r 0faebb0b0fa4 -r 8ed811f9a0bd logstash.sysconfig --- a/logstash.sysconfig Mon Sep 23 11:50:21 2013 -0700 +++ b/logstash.sysconfig Wed Sep 25 15:09:22 2013 -0700 @@ -12,7 +12,3 @@ # extra args for agent #AGENTARGS=-vvv - -# args for web -#WEBARGS="web --backend elasticsearch://127.0.0.1/?local" -#WEBARGS=