Skip to content

Instantly share code, notes, and snippets.

@olagache

olagache/logstash-1.txt

Created September 28, 2012 00:24
Show Gist options
  • Save olagache/3797249 to your computer and use it in GitHub Desktop.
Save olagache/3797249 to your computer and use it in GitHub Desktop.
Download ZIP
Logstash: test syslog parsing
Raw
logstash-1.txt
# ========================================================================================================================
/var/log/syslog:
Sep 27 22:42:19 aragorn dbus[884]: [system] Activating service name='org.kubuntu.qaptworker' (using servicehelper)
Sep 27 22:42:19 aragorn dbus[884]: [system] Successfully activated service 'org.kubuntu.qaptworker'
Sep 27 22:42:19 aragorn dbus[884]: [system] Activating service name='org.debian.AptXapianIndex' (using servicehelper)
Sep 27 22:42:19 aragorn dbus[884]: [system] Successfully activated service 'org.debian.AptXapianIndex'
# ========================================================================================================================
logstash.conf
# ===== #
# INPUT #
# ===== #
input {
file {
type => "linux-syslog"
path => ["/var/log/syslog","/var/log/auth.log","/var/log/kern.log"]
debug => true
}
}
# ====== #
# FILTER #
# ====== #
filter {
grok {
type => "linux-syslog"
pattern => "%{SYSLOGLINE}"
}
date {
type => "linux-syslog"
timestamp => ["MMM dd HH:mm:ss","MMM d HH:mm:ss"]
}
# noop {
# type => "linux-syslog"
# add_tag => ["{'mongoDate': {'$date': '%{@timestamp}'}"]
# }
}
# ====== #
# OUTPUT #
# ====== #
output {
mongodb {
type => "linux-syslog"
host => "127.0.0.1"
port => "27017"
database => "logs"
collection => "syslogs"
}
}
# ========================================================================================================================
logstash.sh
#!/bin/sh
# kill -2 pid to stop logstash
java -jar logstash-1.1.1-monolithic.jar agent -v -f logstash.conf &
# ========================================================================================================================
Error example
Failed parsing date from field {"field":"timestamp","value":"Sep 27 22:42:19","exception":"java.lang.IllegalArgumentException: Invalid format: \"Sep 27 22:42:19\"","backtrace":["org/joda/time/format/DateTimeFormatter.java:866:in `parseDateTime'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/date.rb:101:in `register'","org/jruby/RubyProc.java:258:in `call'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/date.rb:149:in `filter'","org/jruby/RubyArray.java:1615:in `each'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/date.rb:143:in `filter'","org/jruby/RubyArray.java:1615:in `each'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/date.rb:136:in `filter'","org/jruby/RubyHash.java:1186:in `each'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/date.rb:128:in `filter'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filters/base.rb:88:in `execute'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filterworker.rb:58:in `filter'","org/jruby/RubyArray.java:1615:in `each'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filterworker.rb:48:in `filter'","org/jruby/RubyArray.java:1615:in `each'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filterworker.rb:47:in `filter'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/filterworker.rb:32:in `run'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/agent.rb:708:in `run_filter'","file:/home/olivier/application/logstash/logstash-1.1.1-monolithic.jar!/logstash/agent.rb:435:in `run_with_config'"],"level":"warn"}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment