roflmao/logstash.conf

## logstash.conf
input {
  stdin { type => "stdin-type"}
#  syslog {
#    type => syslog
#    port => 5544
#  }

  tcp {
    port => 10514
    type => "syslog"
    tags => ["production"]
  }

  file {
    type => "linux-syslog"
    path => [ "/var/log/messages", "/var/log/syslog" ]
  }
}

filter {

  grep {
      type => "syslog"
      match => [ "%{@syslog_program}", "varnishncsa.log" ]
#      match => [ "@message", "GET" ]
#      match => [ "@syslog_program", "varnishncsa.log" ]
      add_tag => "apache-access-grepped"
      drop => false
  }

  grok {
      type => "syslog"
      pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{@source_host}" ]
  }

  grok {
    type => "apache-combined"
    pattern => "%{COMBINEDAPACHELOG}"
  }

  grok {
      type => "syslog"
      tags => ["apache-access-grepped"]
      pattern => [ "%{COMBINEDAPACHELOG}" ]
      add_tag => "apache-access-grokked"
  }

  syslog_pri {
      type => "syslog"
  }

  date {
      type => "syslog"
      syslog_timestamp => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  #    syslog_timestamp => [ "MMM dd HH:mm:ss" ]
  }

  mutate {
      type => "syslog"
      exclude_tags => "_grokparsefailure"
      replace => [ "@source_host", "%{syslog_hostname}" ]
      replace => [ "@message", "%{syslog_message}" ]
  }

  mutate {
      type => "syslog"
      remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
  }
}

output {
  stdout { debug => true debug_format => "json"}
  elasticsearch {
    embedded => false
    cluster => "logstash"
    host => "localhost"
  }
}
	input {
	stdin { type => "stdin-type"}
	# syslog {
	# type => syslog
	# port => 5544
	# }

	tcp {
	port => 10514
	type => "syslog"
	tags => ["production"]
	}

	file {
	type => "linux-syslog"
	path => [ "/var/log/messages", "/var/log/syslog" ]
	}
	}

	filter {

	grep {
	type => "syslog"
	match => [ "%{@syslog_program}", "varnishncsa.log" ]
	# match => [ "@message", "GET" ]
	# match => [ "@syslog_program", "varnishncsa.log" ]
	add_tag => "apache-access-grepped"
	drop => false
	}

	grok {
	type => "syslog"
	pattern => [ "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{@source_host}" ]
	}

	grok {
	type => "apache-combined"
	pattern => "%{COMBINEDAPACHELOG}"
	}

	grok {
	type => "syslog"
	tags => ["apache-access-grepped"]
	pattern => [ "%{COMBINEDAPACHELOG}" ]
	add_tag => "apache-access-grokked"
	}

	syslog_pri {
	type => "syslog"
	}

	date {
	type => "syslog"
	syslog_timestamp => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	# syslog_timestamp => [ "MMM dd HH:mm:ss" ]
	}

	mutate {
	type => "syslog"
	exclude_tags => "_grokparsefailure"
	replace => [ "@source_host", "%{syslog_hostname}" ]
	replace => [ "@message", "%{syslog_message}" ]
	}

	mutate {
	type => "syslog"
	remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
	}
	}

	output {
	stdout { debug => true debug_format => "json"}
	elasticsearch {
	embedded => false
	cluster => "logstash"
	host => "localhost"
	}
	}