Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
log-format {"timestamp":"%t","src_ip":"%ci","hostname":"%H","status":%ST,"term_state":"%ts","traffic.sent":%B,"traffic.upload":%U,"active_conns":%ac,"timers.upstream_connect":%Tc,"timers.client_connect":%Tq,"timers.upstream_response":%Tr,"timers.session":%Tt,"timers.queue_wait":%Tw,"backend.name":"%b","backend.conn":%bc,"backend.queue":%bq,"frontend.name":"%f","frontend.conns":%fc,"frontend.transport":"%ft","http.vhost":"%[capture.req.hdr(0)]","http.cf-conn-ip":"%[capture.req.hdr(1)]","http.cf-ray":"%[capture.req.hdr(2)]","http.hdr_rsp":"%hsl","http_request":%{+Q}r,"server.name":"%s","server.conns":%sc,"server.queue":%sq,"ssl.version":"%sslv","ssl.cipher":"%sslc","unique":"%ID"}
if [type] == "haproxy" {
grok {
# strip syslog headers, input method "syslog" is too "strict" for the long lines passed from haproxy
match => [ 'message', '<%{POSINT}>%{SYSLOGTIMESTAMP} %{SYSLOGPROG}: %{GREEDYDATA:logline}' ]
}
date {
match => [ 'timestamp', 'dd/MMM/YYYY:HH:mm:ss:SSS' ]
}
json {
source => 'logline'
}
grok {
match => [ 'http_request', '%{NOTSPACE:http.method} %{NOTSPACE:http_pathquery} %{NOTSPACE:http.protocol}']
}
grok {
match => [ 'http_pathquery', '%{URIPATH:http.path}(%{URIPARAM:http.query})?']
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/usr/share/GeoIP/GeoIP.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
mutate { gsub => [ 'ssl.version', '-', 'none' ] }
mutate { 'remove_field' => [ 'logline', 'pid', 'message', 'http_request', 'http_pathquery' ] }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.