Mercurial > logstash
changeset 1:59fe08a2fcbe
switch to flatjar.jar; fix sendmail patterns
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Fri, 01 Mar 2013 18:40:11 -0800 (2013-03-02) |
parents | df4952a2fb06 |
children | 9e0cdf091b8a |
files | logstash.conf logstash.spec sendmail.pattern |
diffstat | 3 files changed, 20 insertions(+), 18 deletions(-) [+] |
line wrap: on
line diff
--- a/logstash.conf Fri Mar 01 14:58:09 2013 -0800 +++ b/logstash.conf Fri Mar 01 18:40:11 2013 -0800 @@ -16,14 +16,14 @@ type => "linux-syslog" path => "/var/log/messages" } -# file { -# type => "apache-access" -# path => "/var/log/httpd/*access*_log" -# } -# file { -# type => "apache-error" -# path => "/var/log/httpd/*error*_log" -# } + file { + type => "apache-access" + path => "/var/log/httpd/*access*_log" + } + file { + type => "apache-error" + path => "/var/log/httpd/*error*_log" + } } filter { @@ -37,12 +37,11 @@ type => "linux-syslog" pattern => "%{SYSLOGBASE}" } -# date { -# # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} -# type => "linux-syslog" -# timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] -# } - + date { + # do we need this? the above picks up SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} + type => "linux-syslog" + timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"] + } grok { type => "apache-access" pattern => "%{COMBINEDAPACHELOG}" @@ -52,8 +51,7 @@ # Try to pull the timestamp from the 'timestamp' field (parsed above with # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700" timestamp => "dd/MMM/yyyy:HH:mm:ss Z" - } - + } grok { type => "apache-error" patterns_dir => "/var/lib/logstash/data/patterns"
--- a/logstash.spec Fri Mar 01 14:58:09 2013 -0800 +++ b/logstash.spec Fri Mar 01 18:40:11 2013 -0800 @@ -11,7 +11,8 @@ Group: Applications/Productivity URL: http://logstash.net/ BuildArch: noarch -Source0: https://logstash.objects.dreamhost.com/release/%{name}-%{version}-monolithic.jar +#Source0: https://logstash.objects.dreamhost.com/release/%{name}-%{version}-monolithic.jar +Source0: http://logstash.objects.dreamhost.com/release/%{name}-%{version}-flatjar.jar Source1: logstash.rc Source2: %{name}.conf Source3: apache.pattern @@ -46,7 +47,8 @@ install -D -m 640 apache.pattern $RPM_BUILD_ROOT/var/lib/%{name}/data/patterns/apache install -D -m 640 sendmail.pattern $RPM_BUILD_ROOT/var/lib/%{name}/data/patterns/sendmail install -D -m 755 %{name}.rc $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name} -install -D -m 750 %{name}-%{version}-monolithic.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar +#nstall -D -m 750 %{name}-%{version}-monolithic.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar +install -D -m 750 %{name}-%{version}-flatjar.jar $RPM_BUILD_ROOT/%{_bindir}/%{name}.jar install -D -m 640 %{name}.conf $RPM_BUILD_ROOT/etc/%{name}/%{name}.conf
--- a/sendmail.pattern Fri Mar 01 14:58:09 2013 -0800 +++ b/sendmail.pattern Fri Mar 01 18:40:11 2013 -0800 @@ -1,8 +1,10 @@ # https://raw.github.com/augieschwer/grok-patterns/master/sendmail.grok # +LOGIN [.a-zA-Z0-9_-]+ EMAIL %{LOGIN}@%{IPORHOST} DSN [0-9][.][0-9][.][0-9] +QID [A-za-z0-9]{14} # Match a relay that gives us a QID in the return status. SENDMAIL_TO_1 %{SYSLOGBASE} %{QID:qid}: to=<%{EMAIL:to}>, (%{WORD}=%{DATA},)+ relay=%{IPORHOST:relay} \[%{IP}\], dsn=%{DSN:dsn}, stat=%{DATA:status} \(%{QID:qid} %{GREEDYDATA:status_message}\)