ggtools/logstash.conf

## logstash.conf
input {
    gelf {
        type => docker
        port => 12201
    }
}

filter {
    multiline {
        pattern => "^%{TIMESTAMP_ISO8601}"
        negate => true
        what => "previous"
        source => "short_message"
    }
    grok {
        match => { "short_message" => "^%{TIMESTAMP_ISO8601}\s+%{LOGLEVEL:log_level}\s+%{NUMBER:pid}\s+---\s+\[\s*%{USERNAME:thread}\s*\]\s+%{DATA:class}\s*:\s*%{DATA:log_message}(?:\n%{GREEDYDATA:stack})?\n*$" }
    }
    if "_grokparsefailure" in [tags] {
        mutate {
            replace => { "message" => "%{short_message}" }
        }
    }
    else {
        mutate {
            replace => { "message" => "%{log_message}" }
            replace => { "level" => "%{log_level}"}
            remove_field => [ "log_level", "log_message" ]
        }
    }
}

output {
    #stdout {
    #    codec => rubydebug
    #}
    elasticsearch {
        host => db
    }
}
	input {
	gelf {
	type => docker
	port => 12201
	}
	}

	filter {
	multiline {
	pattern => "^%{TIMESTAMP_ISO8601}"
	negate => true
	what => "previous"
	source => "short_message"
	}
	grok {
	match => { "short_message" => "^%{TIMESTAMP_ISO8601}\s+%{LOGLEVEL:log_level}\s+%{NUMBER:pid}\s+---\s+\[\s%{USERNAME:thread}\s\]\s+%{DATA:class}\s:\s%{DATA:log_message}(?:\n%{GREEDYDATA:stack})?\n*$" }
	}
	if "_grokparsefailure" in [tags] {
	mutate {
	replace => { "message" => "%{short_message}" }
	}
	}
	else {
	mutate {
	replace => { "message" => "%{log_message}" }
	replace => { "level" => "%{log_level}"}
	remove_field => [ "log_level", "log_message" ]
	}
	}
	}

	output {
	#stdout {
	# codec => rubydebug
	#}
	elasticsearch {
	host => db
	}
	}