jordansissel/agent.conf

## agent.conf
input {
  file {
    path => [ "/var/log/messages", "/var/log/kern.log" ]
    type => "linux-syslog"
  }

  file {
    path => "/var/log/apache2/access.log"
    type => "apache-access"
  }

  file {
    path => "/var/log/apache2/error.log"
    type => "apache-error"
  }
}

output {
  amqp {
    host => "myamqpserver"
    exchange_type => "fanout"
    name => "rawlogs"
  }
  amqp {
    host => "127.0.0.1"
    exchange_type => "topic"
    name => "logsniff"
  }
  stdout { }
}

# Filters are applied in the order the appear.
filter {
  multiline {
    type => "supervisorlogs"
    pattern => "^\s"
    what => previous
  }

  multiline {
    type => "testing"
    pattern => "^\s"
    what => previous
  }

  grok {
    type => "linux-syslog"
    pattern => ["%{SYSLOG_SUDO}", "%{SYSLOG_KERNEL}", "%{SYSLOGLINE}" ]
  }

  grok {
    type => "nagios"
    pattern => "%{NAGIOSLOGLINE}"
  }

  #date {
    #" testing" => fizzle
  #}
}

## output
% bin/logstash -f etc/agent.lgtm.conf
Comment:  Filters are applied in the order the appear.
Comment: date {
Comment: " testing" => fizzle
Comment: }
LogStash::Inputs::Base: Sharing config 'type' with subclass LogStash::Inputs::File
LogStash::Inputs::Base: Sharing config 'tag' with subclass LogStash::Inputs::File
I, [2011-02-20T03:57:42.277000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/messages", "/var/log/kern.log"]
I, [2011-02-20T03:57:42.285000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@type = "linux-syslog"
I, [2011-02-20T03:57:42.289000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/apache2/access.log"]
I, [2011-02-20T03:57:42.290000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@type = "apache-access"
I, [2011-02-20T03:57:42.294000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/apache2/error.log"]
I, [2011-02-20T03:57:42.295000 #4434]  INFO -- logstash: config LogStash::Inputs::File/@type = "apache-error"
I, [2011-02-20T03:57:43.030000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@host = "myamqpserver"
I, [2011-02-20T03:57:43.033000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@exchange_type = "fanout"
I, [2011-02-20T03:57:43.035000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@name = "rawlogs"
{"fanout"=>["fanout", "queue", "topic"]}
I, [2011-02-20T03:57:43.041000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@host = "127.0.0.1"
I, [2011-02-20T03:57:43.042000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@exchange_type = "topic"
I, [2011-02-20T03:57:43.043000 #4434]  INFO -- logstash: config LogStash::Outputs::Amqp/@name = "logsniff"
{"topic"=>["fanout", "queue", "topic"]}
LogStash::Filters::Base: Sharing config 'type' with subclass LogStash::Filters::Multiline
I, [2011-02-20T03:57:43.067000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@type = "supervisorlogs"
I, [2011-02-20T03:57:43.069000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@pattern = "^\\s"
I, [2011-02-20T03:57:43.070000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@what = "previous"
I, [2011-02-20T03:57:43.073000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@type = "testing"
I, [2011-02-20T03:57:43.074000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@pattern = "^\\s"
I, [2011-02-20T03:57:43.075000 #4434]  INFO -- logstash: config LogStash::Filters::Multiline/@what = "previous"
LogStash::Filters::Base: Sharing config 'type' with subclass LogStash::Filters::Grok
I, [2011-02-20T03:57:43.438000 #4434]  INFO -- logstash: config LogStash::Filters::Grok/@type = "linux-syslog"
I, [2011-02-20T03:57:43.439000 #4434]  INFO -- logstash: config LogStash::Filters::Grok/@pattern = ["%{SYSLOG_SUDO}", "%{SYSLOG_KERNEL}", "%{SYSLOGLINE}"]
I, [2011-02-20T03:57:43.442000 #4434]  INFO -- logstash: config LogStash::Filters::Grok/@type = "nagios"
I, [2011-02-20T03:57:43.443000 #4434]  INFO -- logstash: config LogStash::Filters::Grok/@pattern = ["%{NAGIOSLOGLINE}"]
	input {
	file {
	path => [ "/var/log/messages", "/var/log/kern.log" ]
	type => "linux-syslog"
	}

	file {
	path => "/var/log/apache2/access.log"
	type => "apache-access"
	}

	file {
	path => "/var/log/apache2/error.log"
	type => "apache-error"
	}
	}

	output {
	amqp {
	host => "myamqpserver"
	exchange_type => "fanout"
	name => "rawlogs"
	}
	amqp {
	host => "127.0.0.1"
	exchange_type => "topic"
	name => "logsniff"
	}
	stdout { }
	}

	# Filters are applied in the order the appear.
	filter {
	multiline {
	type => "supervisorlogs"
	pattern => "^\s"
	what => previous
	}

	multiline {
	type => "testing"
	pattern => "^\s"
	what => previous
	}

	grok {
	type => "linux-syslog"
	pattern => ["%{SYSLOG_SUDO}", "%{SYSLOG_KERNEL}", "%{SYSLOGLINE}" ]
	}

	grok {
	type => "nagios"
	pattern => "%{NAGIOSLOGLINE}"
	}

	#date {
	#" testing" => fizzle
	#}
	}
	% bin/logstash -f etc/agent.lgtm.conf
	Comment: Filters are applied in the order the appear.
	Comment: date {
	Comment: " testing" => fizzle
	Comment: }
	LogStash::Inputs::Base: Sharing config 'type' with subclass LogStash::Inputs::File
	LogStash::Inputs::Base: Sharing config 'tag' with subclass LogStash::Inputs::File
	I, [2011-02-20T03:57:42.277000 #4434] INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/messages", "/var/log/kern.log"]
	I, [2011-02-20T03:57:42.285000 #4434] INFO -- logstash: config LogStash::Inputs::File/@type = "linux-syslog"
	I, [2011-02-20T03:57:42.289000 #4434] INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/apache2/access.log"]
	I, [2011-02-20T03:57:42.290000 #4434] INFO -- logstash: config LogStash::Inputs::File/@type = "apache-access"
	I, [2011-02-20T03:57:42.294000 #4434] INFO -- logstash: config LogStash::Inputs::File/@path = ["/var/log/apache2/error.log"]
	I, [2011-02-20T03:57:42.295000 #4434] INFO -- logstash: config LogStash::Inputs::File/@type = "apache-error"
	I, [2011-02-20T03:57:43.030000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@host = "myamqpserver"
	I, [2011-02-20T03:57:43.033000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@exchange_type = "fanout"
	I, [2011-02-20T03:57:43.035000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@name = "rawlogs"
	{"fanout"=>["fanout", "queue", "topic"]}
	I, [2011-02-20T03:57:43.041000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@host = "127.0.0.1"
	I, [2011-02-20T03:57:43.042000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@exchange_type = "topic"
	I, [2011-02-20T03:57:43.043000 #4434] INFO -- logstash: config LogStash::Outputs::Amqp/@name = "logsniff"
	{"topic"=>["fanout", "queue", "topic"]}
	LogStash::Filters::Base: Sharing config 'type' with subclass LogStash::Filters::Multiline
	I, [2011-02-20T03:57:43.067000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@type = "supervisorlogs"
	I, [2011-02-20T03:57:43.069000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@pattern = "^\\s"
	I, [2011-02-20T03:57:43.070000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@what = "previous"
	I, [2011-02-20T03:57:43.073000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@type = "testing"
	I, [2011-02-20T03:57:43.074000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@pattern = "^\\s"
	I, [2011-02-20T03:57:43.075000 #4434] INFO -- logstash: config LogStash::Filters::Multiline/@what = "previous"
	LogStash::Filters::Base: Sharing config 'type' with subclass LogStash::Filters::Grok
	I, [2011-02-20T03:57:43.438000 #4434] INFO -- logstash: config LogStash::Filters::Grok/@type = "linux-syslog"
	I, [2011-02-20T03:57:43.439000 #4434] INFO -- logstash: config LogStash::Filters::Grok/@pattern = ["%{SYSLOG_SUDO}", "%{SYSLOG_KERNEL}", "%{SYSLOGLINE}"]
	I, [2011-02-20T03:57:43.442000 #4434] INFO -- logstash: config LogStash::Filters::Grok/@type = "nagios"
	I, [2011-02-20T03:57:43.443000 #4434] INFO -- logstash: config LogStash::Filters::Grok/@pattern = ["%{NAGIOSLOGLINE}"]