Created
June 12, 2014 16:36
-
-
Save mrlesmithjr/598f193aeb7b48889fbd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/nginx/*access.log" | |
| type => "nginx" | |
| sincedb_path => "/var/log/.sincedb" | |
| } | |
| } | |
| input { | |
| udp { | |
| type => "syslog" | |
| port => "514" | |
| } | |
| } | |
| filter { | |
| if [type] == "syslog" { | |
| dns { | |
| reverse => [ "host" ] action => "replace" | |
| } | |
| mutate { | |
| add_tag => [ "syslog-UDP" ] | |
| } | |
| if [host] =~ /.*?(nsvpx).*?(everythingshouldbevirtual.local)?/ { | |
| mutate { | |
| add_tag => [ "Netscaler", "Ready" ] | |
| } | |
| } | |
| if [host] =~ /.*?(pfsense).*?(everythingshouldbevirtual.local)?/ { | |
| mutate { | |
| add_tag => [ "PFSense", "Ready" ] | |
| } | |
| } | |
| if "Ready" not in [tags] { | |
| mutate { | |
| add_tag => [ "syslog" ] | |
| } | |
| } | |
| } | |
| } | |
| filter { | |
| if [type] == "syslog" { | |
| mutate { | |
| remove_tag => "Ready" | |
| } | |
| } | |
| } | |
| filter { | |
| if "syslog" in [tags] { | |
| grok { | |
| match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } | |
| add_field => [ "received_at", "%{@timestamp}" ] | |
| add_field => [ "received_from", "%{host}" ] | |
| } | |
| syslog_pri { } | |
| date { | |
| match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] | |
| } | |
| if !("_grokparsefailure" in [tags]) { | |
| mutate { | |
| replace => [ "@source_host", "%{syslog_hostname}" ] | |
| replace => [ "@message", "%{syslog_message}" ] | |
| } | |
| } | |
| mutate { | |
| remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ] | |
| } | |
| if "_grokparsefailure" in [tags] { | |
| drop { } | |
| } | |
| } | |
| } | |
| filter { | |
| if "syslog" in [tags] { | |
| if [syslog_program] == "haproxy" { | |
| grok { | |
| break_on_match => false | |
| match => [ | |
| "message", "%{HAPROXYHTTP}", | |
| "message", "%{HAPROXYTCP}" | |
| ] | |
| add_tag => [ "HAProxy" ] | |
| } | |
| geoip { | |
| source => "client_ip" | |
| target => "geoip" | |
| add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] | |
| add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] | |
| } | |
| mutate { | |
| convert => [ "[geoip][coordinates]", "float" ] | |
| } | |
| mutate { | |
| replace => [ "host", "%{@source_host}" ] | |
| } | |
| mutate { | |
| add_field => [ "bytes_read_int", "%{bytes_read}" ] | |
| convert => [ "bytes_read_int", "integer" ] | |
| } | |
| } | |
| } | |
| } | |
| filter { | |
| if "Netscaler" in [tags] { | |
| grok { | |
| break_on_match => true | |
| match => [ | |
| "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:netscaler_client_ip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}", | |
| "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}" | |
| ] | |
| } | |
| syslog_pri { } | |
| mutate { | |
| replace => [ "@source_host", "%{host}" ] | |
| } | |
| mutate { | |
| replace => [ "@message", "%{netscaler_message}" ] | |
| } | |
| geoip { | |
| source => "netscaler_client_ip" | |
| target => "geoip" | |
| add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] | |
| add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] | |
| } | |
| mutate { | |
| convert => [ "[geoip][coordinates]", "float" ] | |
| } | |
| } | |
| } | |
| filter { | |
| if "PFSense" in [tags] { | |
| grok { | |
| add_tag => [ "firewall" ] | |
| match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ] | |
| } | |
| mutate { | |
| gsub => ["datetime"," "," "] | |
| } | |
| date { | |
| match => [ "datetime", "MMM dd HH:mm:ss" ] | |
| } | |
| mutate { | |
| replace => [ "message", "%{msg}" ] | |
| } | |
| mutate { | |
| remove_field => [ "msg", "datetime" ] | |
| } | |
| } | |
| if [prog] =~ /^pf$/ { | |
| mutate { | |
| add_tag => [ "packetfilter" ] | |
| } | |
| multiline { | |
| pattern => "^\s+|^\t\s+" | |
| what => "previous" | |
| } | |
| mutate { | |
| remove_field => [ "msg", "datetime" ] | |
| remove_tag => [ "multiline" ] | |
| } | |
| grok { | |
| match => [ "message", "rule (?<rule>.*)\(.*\): (?<action>pass|block) .* on (?<iface>.*): .* proto (?<proto>TCP|UDP|IGMP|ICMP) .*\n\s*(?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)):" ] | |
| } | |
| } | |
| if [prog] =~ /^dhcpd$/ { | |
| if [message] =~ /^DHCPACK|^DHCPREQUEST|^DHCPOFFER/ { | |
| grok { | |
| match => [ "message", "(?<action>.*) (on|for|to) (?<src_ip>[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]\.[0-2]?[0-9]?[0-9]) .*(?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ] | |
| } | |
| } | |
| if [message] =~ /^DHCPDISCOVER/ { | |
| grok { | |
| match => [ "message", "(?<action>.*) from (?<mac_address>[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]).* via (?<iface>.*)" ] | |
| } | |
| } | |
| if [message] =~ /^DHCPINFORM/ { | |
| grok { | |
| match => [ "message", "(?<action>.*) from (?<src_ip>.*).* via (?<iface>.*)" ] | |
| } | |
| } | |
| } | |
| if "_grokparsefailure" in [tags] { | |
| drop { } | |
| } | |
| } | |
| filter { | |
| if "PFSense" in [tags] { | |
| mutate { | |
| replace => [ "@source_host", "%{host}" ] | |
| } | |
| mutate { | |
| replace => [ "@message", "%{message}" ] | |
| } | |
| } | |
| } | |
| filter { | |
| if [type] == "nginx" { | |
| grok { | |
| pattern => "%{COMBINEDAPACHELOG}" | |
| } | |
| } | |
| } | |
| output { | |
| if [type] != "nginx" { | |
| elasticsearch { | |
| cluster => "logstash-cluster" | |
| flush_size => 1 | |
| manage_template => true | |
| template => "/opt/logstash/lib/logstash/outputs/elasticsearch/elasticsearch-template.json" | |
| } } | |
| } | |
| output { | |
| if [type] == "nginx" { | |
| redis { | |
| host => "logstash" | |
| data_type => "list" | |
| key => "logstash" | |
| } | |
| } | |
| } | |
| output { | |
| if "HAProxy" in [tags] { | |
| statsd { | |
| host => "graphite" | |
| port => 8125 | |
| gauge => [ "haproxy.bytes.read", "%{bytes_read}" ] | |
| increment => "haproxy.http.status.code.%{http_status_code}" | |
| timing => [ "haproxy.time.backend.connect", "%{time_backend_connect}" ] | |
| timing => [ "haproxy.time.backend.response", "%{time_backend_response}" ] | |
| timing => [ "haproxy.time.duration", "%{time_duration}" ] | |
| timing => [ "haproxy.time.queue", "%{time_queue}" ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment