jeqo/extra

## extra
WLS_ACCESS_MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?|jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?:y)?|aug(?:ust)?|sep(?:tember)?|oct(?:ober)?|nov(?:ember)?|dec(?:ember)?)\b
WLS_ACCESS_HTTPDATE %{MONTHDAY}/%{WLS_ACCESS_MONTH}/%{YEAR}:%{TIME} %{INT}
WLS_ACCESS_COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{WLS_ACCESS_HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
WLS_SERVER_LOG ####<%{DATA:wls_timestamp}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?> %{GREEDYDATA:logmessage}

## stdin.conf
input {
	file {
		path => "C:/poc/log/*.log"
		start_position => beginning
	}
}
filter {
	if [path] =~ "access" {
		mutate { replace => { type => "wls_access" } }
		grok {
			patterns_dir => "./patterns"
			match => { "message" => "%{WLS_ACCESS_COMMONAPACHELOG}" }
		}
		date {
			match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
		}
	} else if [path] =~ "soa_server" {
		mutate { replace => { type => "soa_server" } }
		multiline {
			pattern => "^####"
			negate => true
			what => "previous"
		}
		grok {
			patterns_dir => "./patterns"
			match => { "message" => "%{WLS_SERVER_LOG}" }
		}
		date {
			match => [ "wls_timestamp", "dd.MMM.yyyy 'kl' HH.mm 'CEST'", "dd.MMM.yyyy 'kl' HH.mm 'CEST'" ]
		}
	} else if [path] =~ "osb_server" {
		mutate { replace => { type => "osb_server" } }
		multiline {
			pattern => "^####"
			negate => true
			what => "previous"
		}
		grok {
			patterns_dir => "./patterns"
			match => { "message" => "%{WLS_SERVER_LOG}" }
		}
		date {
			match => [ "wls_timestamp", "dd.MMM.yyyy 'kl' HH.mm 'CEST'", "dd.MMM.yyyy 'kl' HH.mm 'CEST'" ]
		}
	}
}
output {
	stdout { codec => rubydebug }
	elasticsearch {
		host => localhost
	}
}
	WLS_ACCESS_MONTH \b(?:Jan(?:uary)?\|Feb(?:ruary)?\|Mar(?:ch)?\|Apr(?:il)?\|May\|Jun(?:e)?\|Jul(?:y)?\|Aug(?:ust)?\|Sep(?:tember)?\|Oct(?:ober)?\|Nov(?:ember)?\|Dec(?:ember)?\|jan(?:uary)?\|feb(?:ruary)?\|mar(?:ch)?\|apr(?:il)?\|may\|jun(?:e)?\|jul(?:y)?\|aug(?:ust)?\|sep(?:tember)?\|oct(?:ober)?\|nov(?:ember)?\|dec(?:ember)?)\b
	WLS_ACCESS_HTTPDATE %{MONTHDAY}/%{WLS_ACCESS_MONTH}/%{YEAR}:%{TIME} %{INT}
	WLS_ACCESS_COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{WLS_ACCESS_HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?\|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}\|-)
	WLS_SERVER_LOG ####<%{DATA:wls_timestamp}> <%{WORD:severity}> <%{DATA:wls_topic}> <%{HOST:hostname}> <(%{WORD:server})?> %{GREEDYDATA:logmessage}
	input {
	file {
	path => "C:/poc/log/*.log"
	start_position => beginning
	}
	}
	filter {
	if [path] =~ "access" {
	mutate { replace => { type => "wls_access" } }
	grok {
	patterns_dir => "./patterns"
	match => { "message" => "%{WLS_ACCESS_COMMONAPACHELOG}" }
	}
	date {
	match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
	} else if [path] =~ "soa_server" {
	mutate { replace => { type => "soa_server" } }
	multiline {
	pattern => "^####"
	negate => true
	what => "previous"
	}
	grok {
	patterns_dir => "./patterns"
	match => { "message" => "%{WLS_SERVER_LOG}" }
	}
	date {
	match => [ "wls_timestamp", "dd.MMM.yyyy 'kl' HH.mm 'CEST'", "dd.MMM.yyyy 'kl' HH.mm 'CEST'" ]
	}
	} else if [path] =~ "osb_server" {
	mutate { replace => { type => "osb_server" } }
	multiline {
	pattern => "^####"
	negate => true
	what => "previous"
	}
	grok {
	patterns_dir => "./patterns"
	match => { "message" => "%{WLS_SERVER_LOG}" }
	}
	date {
	match => [ "wls_timestamp", "dd.MMM.yyyy 'kl' HH.mm 'CEST'", "dd.MMM.yyyy 'kl' HH.mm 'CEST'" ]
	}
	}
	}
	output {
	stdout { codec => rubydebug }
	elasticsearch {
	host => localhost
	}
	}