Skip to content

Instantly share code, notes, and snippets.

@cabecada

cabecada/gist:3cf827f3365e2635ef7302bcc70d975f

Created March 9, 2017 13:44
Show Gist options
  • Save cabecada/3cf827f3365e2635ef7302bcc70d975f to your computer and use it in GitHub Desktop.
Save cabecada/3cf827f3365e2635ef7302bcc70d975f to your computer and use it in GitHub Desktop.
Download ZIP
logstash config sensu
Raw
gistfile1.txt
input {
beats {
port => 5144
codec => json
}
}
filter {
if [message] != "processing event" {
drop {
}
}
}
filter {
if ( ( [event][occurrences] != 1 ) and ( [event][action] == "create" ) ) {
drop {
}
}
}
filter {
mutate {
add_field => {
"event.client.name" => "%{[event][client][name]}"
"event.client.address" => "%{[event][client][address]}"
"event.client.subscriptions" => "%{[event][client][subscriptions]}"
"event.client.redact" => "%{[event][client][redact]}"
"event.client.socket" => "%{[event][client][socket]}"
"event.client.safe_mode" => "%{[event][client][safe_mode]}"
"event.client.keepalive" => "%{[event][client][keepalive]}"
"event.client.version" => "%{[event][client][version]}"
"event.client.timestamp" => "%{[event][client][timestamp]}"
"event.check.command" => "%{[event][check][command]}"
"event.check.dependencies" => "%{[event][check][dependencies]}"
"event.check.handlers" => "%{[event][check][handlers]}"
"event.check.interval" => "%{[event][check][interval]}"
"event.check.runbook" => "%{[event][check][runbook]}"
"event.check.team" => "%{[event][check][team]}"
"event.check.alert_after" => "%{[event][check][alert_after]}"
"event.check.realert_every" => "%{[event][check][realert_every]}"
"event.check.page" => "%{[event][check][page]}"
"event.check.ticket" => "%{[event][check][ticket]}"
"event.check.region" => "%{[event][check][region]}"
"event.check.standalone" => "%{[event][check][standalone]}"
"event.check.timeout" => "%{[event][check][timeout]}"
"event.check.name" => "%{[event][check][name]}"
"event.check.issued" => "%{[event][check][issued]}"
"event.check.executed" => "%{[event][check][executed]}"
"event.check.duration" => "%{[event][check][duration]}"
"event.check.output" => "%{[event][check][output]}"
"event.check.status" => "%{[event][check][status]}"
"event.check.type" => "%{[event][check][type]}"
"event.check.history" => "%{[event][check][history]}"
"event.check.total_state_change" => "%{[event][check][total_state_change]}"
"event.occurrences" => "%{[event][occurrences]}"
"event.occurrences_watermark" => "%{[event][occurrences_watermark]}"
"event.action" => "%{[event][action]}"
"event.timestamp" => "%{[event][timestamp]}"
"event.id" => "%{[event][id]}"
"event.last_state_change" => "%{[event][last_state_change]}"
"event.last_ok" => "%{[event][last_ok]}"
"event.silenced" => "%{[event][silenced]}"
"event.silenced_by" => "%{[event][silenced_by]}"
}
}
mutate {
remove_field => [ "event" ]
}
}
output {
stdout { codec => rubydebug }
}
#####output from logstash
#####note all numbers are strings
{
"event.check.timeout" => "10",
"event.client.socket" => "{\"bind\":\"127.0.0.1\",\"port\":3030}",
"source" => "/var/log/sensu/sensu-server.log",
"event.occurrences_watermark" => "1",
"type" => "sensu-event-logs-v2",
"event.check.command" => "/bin/bash /tmp/foo",
"event.client.timestamp" => "1489066880",
"event.client.address" => "172.16.5.4",
"beat" => {
"hostname" => "ubuntu1404-4",
"name" => "ubuntu1404-4.vagrant.local",
"version" => "5.2.1"
},
"host" => "ubuntu1404-4",
"sourcetype" => "sensu_server",
"event.client.version" => "0.26.5",
"event.check.dependencies" => "",
"event.client.name" => "ubuntu1404-4.vagrant.local",
"offset" => 489874,
"event.check.alert_after" => "10",
"level" => "info",
"input_type" => "log",
"event.check.output" => "######foobar\"\n",
"event.check.team" => "ops_infrastructure",
"event.check.ticket" => "false",
"event.timestamp" => "1489066886",
"tags" => [
[0] "beats_input_codec_json_applied"
],
"event.check.duration" => "0.003",
"event.check.executed" => "1489066886",
"event.silenced" => "false",
"event.occurrences" => "1",
"event.check.interval" => "10",
"event.check.type" => "standard",
"event.silenced_by" => "",
"event.check.standalone" => "true",
"event.check.realert_every" => "-1",
"event.last_state_change" => "1489066886",
"event.last_ok" => "1489066886",
"event.client.safe_mode" => "true",
"event.check.total_state_change" => "6",
"@version" => "1",
"event.client.subscriptions" => "production,sensu_server,client:ubuntu1404-4.vagrant.local",
"event.check.runbook" => "https://wiki.otcorp.opentable.com/",
"event.check.issued" => "1489066886",
"timestamp" => "2017-03-09T13:41:26.476064+0000",
"event.check.status" => "2",
"event.check.region" => "vagrant-vagrant",
"message" => "processing event",
"event.check.history" => "0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2",
"event.action" => "create",
"@timestamp" => 2017-03-09T13:41:29.087Z,
"event.check.page" => "false",
"event.client.keepalive" => "{}",
"event.client.redact" => "",
"event.check.handlers" => "default",
"event.check.name" => "example",
"event.id" => "11ed1e02-301a-472d-b589-a9e28f4b3136"
}
@cabecada
Copy link
Author

cabecada commented Mar 9, 2017

use this before filtering, to update @timestamp with sensu event timestamp and convert epoch to ISO.

filter {

if [type] =~ /sensu-event-log/ {
date {
match => [ "[event][last_ok]","UNIX" ]
target => "[event][last_ok]"
}
date {
match => [ "[event][last_state_change]","UNIX" ]
target => "[event][last_state_change]"
}
date {
match => [ "[event][check][executed]","UNIX" ]
target => "@timestamp"
}
date {
match => [ "[event][check][issued]","UNIX" ]
target => "[event][check][issued]"
}
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment