Last active
August 29, 2015 14:10
-
-
Save ocean/fcd1b3ec4c29f9eaa654 to your computer and use it in GitHub Desktop.
Logstash WILL NOT parse my files :`-(
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# custom regex pattern for our URIs, allowing | |
# ampersands in the URL and ^s in the query string. | |
URI_EXTRA %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:(?:/[A-Za-z0-9$.+!*'(){},~:;=&@#%_\-]*)+(?:\?[A-Za-z0-9$.+!*'|(){},~@#%&\^/=:;_?\-\[\]]*)?)? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
} else if [path] =~ "drupal" { | |
mutate { replace => { "type" => "drupal_syslog" } } | |
grok { | |
break_on_match => false | |
match => [ | |
"message", "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}" | |
] | |
} | |
grok { | |
patterns_dir => "/Users/drewrobinson/Development/elk/logstash/patterns" | |
# break_on_match => false | |
match => [ | |
"syslog_message", "%{URI:server}\|%{INT:unix_time}\|%{DATA:message_type}\|(%{IP:client})?\|%{URI_EXTRA:request}\|(%{URI_EXTRA:referer})?\|%{INT:uid}\|(%{DATA:link})?\|%{GREEDYDATA:log_message}" | |
] | |
} | |
grok { | |
patterns_dir => "/Users/drewrobinson/Development/elk/logstash/patterns" | |
# break_on_match => false | |
match => [ | |
"syslog_message", "%{DATA:message_type}\|(%{IP:client})?\|%{URI_EXTRA:request}\|(%{URI_EXTRA:referer})?\|%{INT:uid}\|(%{DATA:link})? %{GREEDYDATA:log_message}" | |
] | |
} | |
grok { | |
patterns_dir => "/Users/drewrobinson/Development/elk/logstash/patterns" | |
# break_on_match => false | |
match => [ | |
"syslog_message", "type=(%{QS:message_type}|%{DATA:message_type}) client=(%{IP:client})? request_uri=%{URI_EXTRA:request} referer=(%{URI_EXTRA:referer})? uid=%{INT:uid} link=(%{QS:link}|%{DATA:link})? message=%{GREEDYDATA:log_message}" | |
] | |
} |
And before that I had all the "message" patterns in one match hash...
} else if [path] =~ "drupal" {
mutate { replace => { "type" => "drupal_syslog" } }
grok {
patterns_dir => "/Users/drewrobinson/Development/elk/logstash/patterns"
break_on_match => false
match => {
"message" => "%{SYSLOGBASE} %{URI:server}\|%{INT:unix_time}\|%{DATA:message_type}\|(%{IP:client})?\|%{URI_EXTRA:request}\|(%{URI_EXTRA:referer})?\|%{INT:uid}\|(%{DATA:link})?\|%{GREEDYDATA:log_message}"
"message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOST} %{SYSLOGPROG}: %{DATA:message_type}\|(%{IP:client})?\|%{URI_EXTRA:request}\|(%{URI_EXTRA:referer})?\|%{INT:uid}\|(%{DATA:link})? %{GREEDYDATA:log_message}"
"message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOST} %{SYSLOGPROG}: type=(%{QS:message_type}|%{DATA:message_type}) client=(%{IP:client})? request_uri=%{URI_EXTRA:request} referer=(%{URI_EXTRA:referer})? uid=%{INT:uid} link=(%{QS:link}|%{DATA:link})? message=%{GREEDYDATA:log_message}"
}
}
but that didn't grab them all either, though I was getting the first one to work then...
And I've tried with break_on_match
as false and true
Changed the grok config to the above and it's not matching anything, yay.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Previously I have tried:
with little success as well :-(