changeset 34:8ed811f9a0bd

update config files for 1.2.1 syntax changes
author Carl Byington <carl@five-ten-sg.com>
date Wed, 25 Sep 2013 15:09:22 -0700
parents 0faebb0b0fa4
children d5349a22907e
files Makefile logstash.conf logstash.rc logstash.spec logstash.sysconfig
diffstat 5 files changed, 52 insertions(+), 56 deletions(-) [+]
line wrap: on
line diff
--- a/Makefile	Mon Sep 23 11:50:21 2013 -0700
+++ b/Makefile	Wed Sep 25 15:09:22 2013 -0700
@@ -48,4 +48,4 @@
 	rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild GraphTastic-client-0.0.0-0$(dist).src.rpm
 	rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild elasticsearch-$(hv)-0$(dist).src.rpm
 	rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild rubygem-tzinfo*src.rpm
-	rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild logstash-$(gv)-0$(dist).src.rpm
+	rpmbuild --define "dist $(dist)" --define "_rpmdir $(shell pwd)" --rebuild logstash-$(gv)-1$(dist).src.rpm
--- a/logstash.conf	Mon Sep 23 11:50:21 2013 -0700
+++ b/logstash.conf	Wed Sep 25 15:09:22 2013 -0700
@@ -27,58 +27,55 @@
 }
 
 filter {
-    grok {
-        type            => "sendmail"
-        pattern         => [ "%{DNSBL}", "%{SENDMAIL}" ]
-        patterns_dir    => "/var/lib/logstash/data/patterns"
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "sendmail|dnsbl" ]
-        drop            => true
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "sendmail", "message", "^(M|m)ilter" ]
-        drop            => false
-        add_tag         => [ "dropper" ]
-    }
-    grep {
-        type            => "sendmail"
-        match           => [ "program", "dnsbl", "message", "." ]
-        drop            => false
-        add_tag         => [ "dropper" ]
-    }
-    grep {
-        type            => "sendmail"
-        tags            => [ "dropper" ]
-        match           => [ "message", "." ]
-        negate          => true
+    if [type] == "sendmail" {
+        grok {
+            patterns_dir    => "/var/lib/logstash/data/patterns"
+            match           => [ "message", "%{DNSBL}|%{SENDMAIL}" ]
+        }
+        grep {
+            match           => [ "program", "sendmail" ]
+        }
+        grep {
+            match           => [ "message", "(M|m)ilter" ]
+            negate          => true
+        }
+        date {
+            # get the date from the actual syslog message
+            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+        }
     }
 
-    grok {
-        type            => "linux-syslog"
-        pattern         => "%{SYSLOGBASE}"
-    }
-    date {
-        # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
-        type            => "linux-syslog"
-        match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+    if [type] == "linux-syslog" {
+        grok {
+            match           => [ "message", "%{SYSLOGBASE}" ]
+        }
+        date {
+            # get the date from the actual syslog message
+            match           => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
+        }
     }
-    grok {
-        type            => "apache-access"
-        pattern         => "%{COMBINEDAPACHELOG}"
+
+    if [type] == "apache-access" {
+        grok {
+            match           => [ "message", "%{COMBINEDAPACHELOG}" ]
+        }
+        date {
+            # Try to pull the timestamp from the 'timestamp' field (parsed above with
+            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
+            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
+        }
     }
-    date {
-        # Try to pull the timestamp from the 'timestamp' field (parsed above with
-        # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
-        type            => "apache-access"
-        match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
-    }
-    grok {
-        type            => "apache-error"
-        patterns_dir    => "/var/lib/logstash/data/patterns"
-        pattern         => "%{APACHE_ERROR_LOG}"
+
+    if [type] == "apache-error" {
+        grok {
+            patterns_dir    => "/var/lib/logstash/data/patterns"
+            match           => [ "message", "%{APACHE_ERROR_LOG}" ]
+        }
+        date {
+            # Try to pull the timestamp from the 'timestamp' field (parsed above with
+            # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
+            match           => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
+        }
     }
 }
 
--- a/logstash.rc	Mon Sep 23 11:50:21 2013 -0700
+++ b/logstash.rc	Wed Sep 25 15:09:22 2013 -0700
@@ -28,7 +28,7 @@
 CONFIGFILE=/etc/logstash/logstash.conf
 LOGFILE=/var/log/logstash/logstash.log
 JARNAME=/usr/share/java/logstash.jar
-ARGS="$JAVAARGS -jar $JARNAME agent --config $CONFIGFILE --log $LOGFILE $AGENTARGS -- $WEBARGS"
+ARGS="$JAVAARGS -jar $JARNAME agent --config $CONFIGFILE --log $LOGFILE $AGENTARGS"
 PIDFILE=/var/run/logstash.pid
 base=logstash
 
@@ -47,7 +47,7 @@
     cd $HOME
     pid=$(
     exec sudo -u logstash /bin/bash - <<EOF
-        $JAVA $ARGS >&2 &
+        $JAVA $ARGS </dev/null >/dev/null 2>/dev/null &
         echo \$!
 EOF
     )
--- a/logstash.spec	Mon Sep 23 11:50:21 2013 -0700
+++ b/logstash.spec	Wed Sep 25 15:09:22 2013 -0700
@@ -4,7 +4,7 @@
 Summary:        logstash is a tool for managing events and logs.
 Name:           logstash
 Version:        1.2.1
-Release:        0%{?dist}
+Release:        1%{?dist}
 
 Group:          System Environment/Daemons
 License:        Apache 2.0
@@ -117,6 +117,9 @@
 
 
 %changelog
+* Sun Sep 22 2013  <carl@five-ten-sg.com> - 1.2.1-1
+- update config files for 1.2.1 version, some syntax changed
+
 * Sun Sep 22 2013  <carl@five-ten-sg.com> - 1.2.1-0
 - update to newer logstash
 
--- a/logstash.sysconfig	Mon Sep 23 11:50:21 2013 -0700
+++ b/logstash.sysconfig	Wed Sep 25 15:09:22 2013 -0700
@@ -12,7 +12,3 @@
 
 # extra args for agent
 #AGENTARGS=-vvv
-
-# args for web
-#WEBARGS="web --backend elasticsearch://127.0.0.1/?local"
-#WEBARGS=