michaeltchapman/logstash_config.rb

## logstash_config.rb
# logstash configuration format production function
def logstash_config(obj, depth=0)
  d = depth
  white = '  '
  case obj
    when String, Fixnum, Float, TrueClass, FalseClass, NilClass
      return " => #{obj.to_s}\n"
    when NilClass
      return " { }\n"
    when Array
      ret = []
      obj.each do |a|
        ret.push(logstash_config(a, d))
      end
      return ret.join("")
    when Hash
      ret = []
      obj.keys.sort.each do |k|
        value = obj[k]
        case value
          when String, Fixnum, Float, TrueClass, FalseClass
            ret.push("#{white * d}#{k.to_s} => #{value.to_s}\n")
          when NilClass
            ret.push("#{white * d}#{k.to_s} { }\n")
          else
            ret.push("#{white * d}#{k.to_s} {\n#{logstash_config(value, d+1)}#{white * d}}\n")
        end
      end
      return ret.join("")
    else
      raise Exception("Invalid object type <%s> in logstash config parser" % obj.class.to_s)
  end
end

module Puppet::Parser::Functions
  newfunction(:logstash_config, :type => :rvalue, :doc => <<-EOS
This function takes a hash and creates a formatted logstash config DSL string

*Examples:*

input:
  lumberjack:
    - port: 5000
    - type: logs

returns:

 input {
   lumberjack {
     port => 5000
     type => logs
   }
 }
    EOS

  ) do |arguments|

    if arguments.size != 1
      raise(Puppet::ParseError, "logstash_config: takes only a single hash argument, you" +
      " gave #{arguments.size}")
    end

    conf = arguments[0]
    logstash_config(conf)
  end
end

# vim: set ts=2 sw=2 et :

## output.conf
filter {
  if [type] == "syslog" {
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
    grok {
      match {
        message => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} (?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"
      }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
  }
}
input {
  lumberjack {
    port => 5000
    type => logs
  }
}

## user.yaml
logstash_config:
  input:
    lumberjack:
      - port: 5000
      - type: logs


  filter:
    'if [type] == "syslog"':
      grok:
        - match:
            message: "\"_%_{SYSLOGTIMESTAMP:syslog_timestamp} _%_{SYSLOGHOST:syslog_hostname} _%_{DATA:syslog_program} (?:[_%_{POSINT:syslog_pid}])?: _%_{GREEDYDATA:syslog_message}\""
        - add_field: "[ \"received_at\", \"_%_{@timestamp}\" ]"
        - add_field: "[ \"received_from\", \"_%_{host}\" ]"
      syslog_pri:
      date:
        - match: '[ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]'
	# logstash configuration format production function
	def logstash_config(obj, depth=0)
	d = depth
	white = ' '
	case obj
	when String, Fixnum, Float, TrueClass, FalseClass, NilClass
	return " => #{obj.to_s}\n"
	when NilClass
	return " { }\n"
	when Array
	ret = []
	obj.each do \|a\|
	ret.push(logstash_config(a, d))
	end
	return ret.join("")
	when Hash
	ret = []
	obj.keys.sort.each do \|k\|
	value = obj[k]
	case value
	when String, Fixnum, Float, TrueClass, FalseClass
	ret.push("#{white * d}#{k.to_s} => #{value.to_s}\n")
	when NilClass
	ret.push("#{white * d}#{k.to_s} { }\n")
	else
	ret.push("#{white * d}#{k.to_s} {\n#{logstash_config(value, d+1)}#{white * d}}\n")
	end
	end
	return ret.join("")
	else
	raise Exception("Invalid object type <%s> in logstash config parser" % obj.class.to_s)
	end
	end

	module Puppet::Parser::Functions
	newfunction(:logstash_config, :type => :rvalue, :doc => <<-EOS
	This function takes a hash and creates a formatted logstash config DSL string

	Examples:

	input:
	lumberjack:
	- port: 5000
	- type: logs

	returns:

	input {
	lumberjack {
	port => 5000
	type => logs
	}
	}
	EOS

	) do \|arguments\|

	if arguments.size != 1
	raise(Puppet::ParseError, "logstash_config: takes only a single hash argument, you" +
	" gave #{arguments.size}")
	end

	conf = arguments[0]
	logstash_config(conf)
	end
	end

	# vim: set ts=2 sw=2 et :
	filter {
	if [type] == "syslog" {
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	grok {
	match {
	message => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} (?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"
	}
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	}
	syslog_pri { }
	}
	}
	input {
	lumberjack {
	port => 5000
	type => logs
	}
	}
	logstash_config:
	input:
	lumberjack:
	- port: 5000
	- type: logs


	filter:
	'if [type] == "syslog"':
	grok:
	- match:
	message: "\"_%_{SYSLOGTIMESTAMP:syslog_timestamp} _%_{SYSLOGHOST:syslog_hostname} _%_{DATA:syslog_program} (?:[_%_{POSINT:syslog_pid}])?: _%_{GREEDYDATA:syslog_message}\""
	- add_field: "[ \"received_at\", \"_%_{@timestamp}\" ]"
	- add_field: "[ \"received_from\", \"_%_{host}\" ]"
	syslog_pri:
	date:
	- match: '[ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]'