Skip to content

Instantly share code, notes, and snippets.

@lcomplete

lcomplete/app.config

Forked from grenade/app.config
Created June 20, 2020 03:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lcomplete/9eea6bbbef0cfc288db7b17ca43205ff to your computer and use it in GitHub Desktop.
Save lcomplete/9eea6bbbef0cfc288db7b17ca43205ff to your computer and use it in GitHub Desktop.
Download ZIP
Emit log4net entries to logstash over UDP in near-realtime
Raw
app.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
<section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" />
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
<log4net>
<appender name="UdpAppender" type="log4net.Appender.UdpAppender">
<RemoteAddress value="logstash.example.org" />
<RemotePort value="5960" />
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level - %property{log4net:HostName} - SomeApplication - %logger - %message%newline" />
</layout>
</appender>
<root>
<level value="ALL" />
<appender-ref ref="UdpAppender" />
</root>
</log4net>
</configuration>
Raw
logstash-log4net-udp.conf
input {
udp {
port => 5960
codec => plain {
charset => "UTF-8"
}
type => "log4net"
}
}
filter {
mutate {
add_field => [ "hostip", "%{host}" ]
}
dns {
reverse => [ "host" ]
action => replace
}
if [type] == "log4net" {
grok {
break_on_match => true
remove_field => message
match => {
message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}((\r\n)|(\n))(?<exceptionType>(((%{JAVACLASS})|(System.))Exception)): (?<exceptionMessage>(%{GREEDYDATA}))((\r\n)|(\n))(?<stackTrace>(( )+at %{GREEDYDATA}))"
}
match => {
message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}((\r\n)|(\n))(?<exceptionType>(((%{JAVACLASS})|(System.))Exception)): (?<exceptionMessage>(%{GREEDYDATA}))"
}
match => {
message => "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadid}\] %{LOGLEVEL:loglevel} +- %{IPORHOST:tempHost} - %{DATA:application} - %{DATA:component} - %{GREEDYDATA:tempMessage}"
}
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "message" , "%{tempMessage}" ]
replace => [ "host" , "%{tempHost}" ]
}
}
mutate {
remove_field => [ "tempMessage" ]
remove_field => [ "tempHost" ]
}
}
}
output {
elasticsearch {
host => "localhost"
protocol => "http"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment