Created
November 4, 2014 18:28
-
-
Save ram-devsecops/641e27b55ed88ae9e031 to your computer and use it in GitHub Desktop.
logstash conf file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
lumberjack { | |
port => 5043 | |
ssl_certificate => "/etc/puppetlabs/puppet/ssl/certs/logstashxxx.pem" | |
ssl_key => "/etc/puppetlabs/puppet/ssl/public_keys/logstashxxx.pem" | |
} | |
} | |
filter { | |
#Dropping all headings | |
if [message] =~ "^#" {drop {}} | |
#Grok parsing - Using custom patterns to account for null values. | |
#ELMAH | |
if [type] == "ELMAHLog" { | |
multiline { | |
pattern => "^%{TIMESTAMP_ISO8601}" | |
what => "previous" | |
negate => true | |
} | |
grok { | |
match => ["message", "(?m)(%{TIMESTAMP_ISO8601:log_timestamp})\t(?<ErrorId>(.*?))\t(?<Application>(.*?))\t(?<Host>(.*?))\t(?<Type>(.*?))\t(?<Source>(.*?))\t(?<Message>(.*?))\t(?<User>(.*?))\t(?<Status Code>(.*?))\t(?<Sequence>(.*?))\t(?<Ignored>(.*?))\t(%{GREEDYDATA:allXML})"] | |
add_tag => "ELMAH" | |
} | |
} | |
#Matching dates | |
date { | |
match => [ "log_timestamp", "ISO8601" ] | |
timezone => "Etc/UCT" | |
} | |
#Removing timestamp field (covered by @timestamp date filter), message field (covered by allXML), and multiline tag. | |
mutate { | |
remove_field => ["log_timestamp"] | |
} | |
if [type] == "ELMAHLog" { | |
mutate { | |
remove_field => ["message"] | |
remove_tag => ["multiline"] | |
} | |
} | |
#When the service starts, disregard any log files older than 7 days. | |
ruby { | |
code => "event.cancel if event.timestamp < (Time.now - (86400 * 7))" | |
} | |
} | |
output { | |
#Only exporting files that parsed properly. | |
elasticsearch { | |
protocol => http | |
host => "localhost" | |
port => 9200 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment