jrrdev/logstash.conf

## logstash.conf
# Configuration to parse Apache logs with parameters :
# LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %T %D \"%{Referer}i\" \"%{User-Agent}i\""


input {
  tcp {
    port => 5000
    type => "apache-access"
  }
  udp {
    port => 5000
    type => "apache-access"
  }
  # The parsed files are in the given repository
  file {
    path => "/input_logs/*"
    start_position => beginning
    ignore_older => 0
  }
}

filter {

  if [message] =~ "- - - .*" {
    drop { }
  }

  grok {
    match => {"message" => "%{IPORHOST:userip}(?:, %{IPORHOST:clientip}|) %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:responseCode} (?:%{NUMBER:bytes}|-) %{NUMBER:resptime} %{NUMBER:resptimefull} \"(?:%{URI:referrer}|-)\" %{QS:agent}" }
  }

  date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }

  useragent {
    source => "agent"
  }

  mutate {
    convert => { "resptimefull" => "integer" }
  }

  mutate {
    convert => { "resptime" => "integer" }
  }

  mutate {
    convert => { "bytes" => "integer" }
  }

  mutate {
    gsub => [ "referrer", ".tomcat", "&tomcat=tomcat" ]
  }

  mutate {
    add_field => { "request_url" => "%{request}" }
  }

  mutate {
    add_field => { "referrer_params" => "%{referrer}" }
  }

  mutate {
    add_field => { "request_param" => "%{request_url}" }
  }

  mutate {
    gsub => [ "referrer", "\?.*", "" ]
  }

  mutate {
    gsub => [ "request_url", "\?.*", "" ]
  }

  mutate {
    gsub => [ "request_url", ";jsessionid.*", "" ]
  }

  mutate {
    gsub => [ "referrer_params", ".*\?", "" ]
  }

  mutate {
    gsub => [ "request_param", ".*\?", "" ]
  }

}

output {
  elasticsearch { hosts => "elasticsearch:9200" }
}
	# Configuration to parse Apache logs with parameters :
	# LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %T %D \"%{Referer}i\" \"%{User-Agent}i\""


	input {
	tcp {
	port => 5000
	type => "apache-access"
	}
	udp {
	port => 5000
	type => "apache-access"
	}
	# The parsed files are in the given repository
	file {
	path => "/input_logs/*"
	start_position => beginning
	ignore_older => 0
	}
	}

	filter {

	if [message] =~ "- - - .*" {
	drop { }
	}

	grok {
	match => {"message" => "%{IPORHOST:userip}(?:, %{IPORHOST:clientip}\|) %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?\|%{DATA:rawrequest})\" %{NUMBER:responseCode} (?:%{NUMBER:bytes}\|-) %{NUMBER:resptime} %{NUMBER:resptimefull} \"(?:%{URI:referrer}\|-)\" %{QS:agent}" }
	}

	date {
	match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	}

	useragent {
	source => "agent"
	}

	mutate {
	convert => { "resptimefull" => "integer" }
	}

	mutate {
	convert => { "resptime" => "integer" }
	}

	mutate {
	convert => { "bytes" => "integer" }
	}

	mutate {
	gsub => [ "referrer", ".tomcat", "&tomcat=tomcat" ]
	}

	mutate {
	add_field => { "request_url" => "%{request}" }
	}

	mutate {
	add_field => { "referrer_params" => "%{referrer}" }
	}

	mutate {
	add_field => { "request_param" => "%{request_url}" }
	}

	mutate {
	gsub => [ "referrer", "\?.*", "" ]
	}

	mutate {
	gsub => [ "request_url", "\?.*", "" ]
	}

	mutate {
	gsub => [ "request_url", ";jsessionid.*", "" ]
	}

	mutate {
	gsub => [ "referrer_params", ".*\?", "" ]
	}

	mutate {
	gsub => [ "request_param", ".*\?", "" ]
	}

	}

	output {
	elasticsearch { hosts => "elasticsearch:9200" }
	}