WPsites/gist:4232931

## gistfile1.txt
input {
  <% if node['logstash']['server']['inputs'].empty? -%>
  tcp {
    type => "tcp-input"
    port => "5959"
    format => "json_event"
  }
  <% else -%>
    <%= LogstashConf.section_to_str(node['logstash']['server']['inputs']) %>
  <% end -%>
}


filter {
grok {
      type => "syslog"
      pattern => [ "<%%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{@source_host}" ]
  }
  syslog_pri {
      type => "syslog"
  }
  date {
      type => "syslog"
      syslog_timestamp => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
  mutate {
      type => "syslog"
      exclude_tags => "_grokparsefailure"
      replace => [ "@source_host", "%{syslog_hostname}" ]
      replace => [ "@message", "%{syslog_message}" ]
  }
  mutate {
      type => "syslog"
      remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
  }
}

output {
  <% if node['logstash']['server']['debug'] -%>
  stdout { debug => true debug_format => "json" }
  <% end -%>
  <% if @enable_embedded_es -%>
  elasticsearch { embedded => true }
  <% elsif not @es_server_ip.empty? -%>
  elasticsearch { host => "<%= @es_server_ip %>" cluster => "<%= @es_cluster %>" }
  <% end -%>
  <% unless @graphite_server_ip.empty? -%>
  graphite { host => "<%= @graphite_server_ip %>" metrics => ["logstash.events", "1"] }
  <% end -%>
  <% # unless node['logstash']['server']['outputs'].empty? -%>
    <%= LogstashConf.section_to_str(node['logstash']['server']['outputs']) %>
  <% # end -%>
}
	input {
	<% if node['logstash']['server']['inputs'].empty? -%>
	tcp {
	type => "tcp-input"
	port => "5959"
	format => "json_event"
	}
	<% else -%>
	<%= LogstashConf.section_to_str(node['logstash']['server']['inputs']) %>
	<% end -%>
	}


	filter {
	grok {
	type => "syslog"
	pattern => [ "<%%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{@source_host}" ]
	}
	syslog_pri {
	type => "syslog"
	}
	date {
	type => "syslog"
	syslog_timestamp => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	mutate {
	type => "syslog"
	exclude_tags => "_grokparsefailure"
	replace => [ "@source_host", "%{syslog_hostname}" ]
	replace => [ "@message", "%{syslog_message}" ]
	}
	mutate {
	type => "syslog"
	remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
	}
	}

	output {
	<% if node['logstash']['server']['debug'] -%>
	stdout { debug => true debug_format => "json" }
	<% end -%>
	<% if @enable_embedded_es -%>
	elasticsearch { embedded => true }
	<% elsif not @es_server_ip.empty? -%>
	elasticsearch { host => "<%= @es_server_ip %>" cluster => "<%= @es_cluster %>" }
	<% end -%>
	<% unless @graphite_server_ip.empty? -%>
	graphite { host => "<%= @graphite_server_ip %>" metrics => ["logstash.events", "1"] }
	<% end -%>
	<% # unless node['logstash']['server']['outputs'].empty? -%>
	<%= LogstashConf.section_to_str(node['logstash']['server']['outputs']) %>
	<% # end -%>
	}