Skip to content

Instantly share code, notes, and snippets.

@djalexd

djalexd/logstash.conf

Last active August 29, 2015 14:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save djalexd/36ffa04df54e849b45e1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save djalexd/36ffa04df54e849b45e1 to your computer and use it in GitHub Desktop.
Download ZIP
logstash config #1
Raw
logstash.conf
input {
file {
type => "service"
path => [ "/data/logs/accounts*.log" ]
tags => [ "service-accounts" ]
}
file {
type => "service"
path => [ "/data/logs/payment-instruments*.log" ]
tags => [ "service-payment-instruments" ]
}
file {
type => "proxy"
path => [ "/data/logs/access.log", "/data/logs/error.log" ]
}
}
filter {
if [type] == "service" {
multiline {
type => "somefiletype"
pattern => "^\\s"
what => "previous"
}
grok {
match => [ "message", "%{DATESTAMP:@timestamp}\s+%{LOGLEVEL:loglevel}\s+%{WORD:pid}\s+\[%{GREEDYDATA:thread}\]\s+---\s+%{JAVACLASS:class}\s+\:%{GREEDYDATA:text}" ]
}
} else if [type] == "proxy" {
grok {
match => [
"message", "%{IPORHOST:http_host} %{IPORHOST:client_ip} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:http_status_code} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{NUMBER:time_duration:float} %{NUMBER:time_backend_response:float}",
"message", "%{IPORHOST:http_host} %{IPORHOST:client_ip} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:http_status_code} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{NUMBER:time_duration:float}"
]
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
embedded => true
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment