Skip to content

Instantly share code, notes, and snippets.

@dterziev

dterziev/logstash.conf

Last active October 18, 2019 11:01
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save dterziev/a17ee41de0761af1a95a to your computer and use it in GitHub Desktop.
Save dterziev/a17ee41de0761af1a95a to your computer and use it in GitHub Desktop.
Download ZIP
Logstash 2.1.x config for log4net logs.
Raw
logstash.conf
input {
file {
path => ".../Logs/*.log"
type => "log4net"
sincedb_path => ".../since.db"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601} "
negate => true
what => previous
}
# start_position => "beginning" - does not work with the codec in logstash 2.1
}
}
filter {
grok {
match => ["path", "(?<filename>[^/]+?)(-\[(?<processid>\d+)\])?\.log" ]
add_field => [ "process", "%{host}:%{processid}" ]
}
if [type] == "log4net" {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} \[%{NUMBER:threadid}\] %{WORD:level}\s*%{DATA:class} %{DATA:NDC} - %{GREEDYDATA:message}"]
overwrite => ["message","timestamp"]
}
date {
match => ["timestamp","yyyy-MM-dd HH:mm:ss,SSS"]
remove_field => ["timestamp"]
}
grok {
match => [ "message", "(?<message>[^\r\n]*)\r?(\n(?<exception>.*))?"]
overwrite => ["message"]
}
}
kv {
trim => "\r\(\)"
trimkey => "\r\(\)"
source => "message"
# target => "props"
value_split => ":"
allow_duplicate_values => false
}
mutate {
convert => {
"processid" => "integer"
"threadid" => "integer"
"Elapsed" => "integer"
"ItemId" => "integer"
}
}
}
output {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
template_overwrite => true
}
stdout { codec => rubydebug }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment