-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathlogstash.conf
68 lines (66 loc) · 1.53 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
input {
file {
# start_position => "beginning"
path => ["/path/to/logs/access.log"]
type => "cq-access"
}
file {
# start_position => "beginning"
path => ["/path/to/logs/request.log"]
type => "cq-request"
}
file {
# start_position => "beginning"
path => ["/path/to/logs/error.log"]
type => "cq-error"
}
}
filter {
if [type] == "cq-access" {
grok {
match => [ "message", "%{IPORHOST:clientip} - %{USER:ident} %{HTTPDATE:timestamp} %{QS}" ]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
} else if [type] == "cq-request" {
grok {
match => [ "message", "^%{HTTPDATE:timestamp} \[%{NUMBER:id}\]"]
}
multiline {
pattern => "^%{HTTPDATE:timestamp} \[%{NUMBER:id}\] <-"
negate => "true"
what => "next"
stream_identity => "%{id}"
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
mutate {
gsub => [
"message","\n"," ",
"message","\r",""
]
}
grok {
match => [ "message", "^%{HTTPDATE:timestamp} \[%{NUMBER:id}\] -> %{WORD:method} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion} .* %{NUMBER:status} %{NOTSPACE:contentType} %{NUMBER:response:int}ms$"]
}
}
else if [type] == "cq-error" {
multiline {
pattern => "^%{DATESTAMP}"
negate => "true"
what => "previous"
}
grok {
match => [ "message", "%{DATESTAMP:timestamp} \*%{NOTSPACE:severe}\*"]
}
date {
match => [ "timestamp" , "dd.MM.yyyy HH:mm:ss.SSS" ]
}
}
}
output {
elasticsearch { host => localhost }
# stdout { codec => rubydebug }
}