Skip to content

Instantly share code, notes, and snippets.

@ram-devsecops
Created November 4, 2014 18:28
Show Gist options
  • Save ram-devsecops/641e27b55ed88ae9e031 to your computer and use it in GitHub Desktop.
Save ram-devsecops/641e27b55ed88ae9e031 to your computer and use it in GitHub Desktop.
logstash conf file
input {
lumberjack {
port => 5043
ssl_certificate => "/etc/puppetlabs/puppet/ssl/certs/logstashxxx.pem"
ssl_key => "/etc/puppetlabs/puppet/ssl/public_keys/logstashxxx.pem"
}
}
filter {
#Dropping all headings
if [message] =~ "^#" {drop {}}
#Grok parsing - Using custom patterns to account for null values.
#ELMAH
if [type] == "ELMAHLog" {
multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
what => "previous"
negate => true
}
grok {
match => ["message", "(?m)(%{TIMESTAMP_ISO8601:log_timestamp})\t(?<ErrorId>(.*?))\t(?<Application>(.*?))\t(?<Host>(.*?))\t(?<Type>(.*?))\t(?<Source>(.*?))\t(?<Message>(.*?))\t(?<User>(.*?))\t(?<Status Code>(.*?))\t(?<Sequence>(.*?))\t(?<Ignored>(.*?))\t(%{GREEDYDATA:allXML})"]
add_tag => "ELMAH"
}
}
#Matching dates
date {
match => [ "log_timestamp", "ISO8601" ]
timezone => "Etc/UCT"
}
#Removing timestamp field (covered by @timestamp date filter), message field (covered by allXML), and multiline tag.
mutate {
remove_field => ["log_timestamp"]
}
if [type] == "ELMAHLog" {
mutate {
remove_field => ["message"]
remove_tag => ["multiline"]
}
}
#When the service starts, disregard any log files older than 7 days.
ruby {
code => "event.cancel if event.timestamp < (Time.now - (86400 * 7))"
}
}
output {
#Only exporting files that parsed properly.
elasticsearch {
protocol => http
host => "localhost"
port => 9200
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment