Minimal logsearch logstash config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The # character at the beginning of a line indicates a comment. Use | |
| # comments to describe your configuration. | |
| input { | |
| file { | |
| path => "/Users/colin/Documents/Boulot/gds/logstash/nginx_access.log" | |
| start_position => "beginning" | |
| } | |
| } | |
| filter { | |
| # Initialize @input, @shipper and @source | |
| mutate { | |
| add_field => { "@input" => "syslog" } | |
| replace => { "[@shipper][priority]" => "14" } | |
| replace => { "[@shipper][name]" => "vcap.auctioneer_syslog" } | |
| add_field => { "[@source][component]" => "vcap.auctioneer" } | |
| add_field => { "[@source][type]" => "syslog" } | |
| } | |
| if [@source][component] != "vcap.uaa" and [@source][component] =~ /vcap\..*/ { | |
| ruby { | |
| code => "event['[@source][component]'] = event['[@source][component]'][5..-1]" # minus "vcap." prefix | |
| } | |
| mutate { | |
| replace => { "@type" => "vcap" } | |
| add_tag => "vcap" | |
| } | |
| # Parse Cloud Foundry logs | |
| if [@message] =~ /^\s*{".*}\s*$/ { # looks like JSON | |
| # parse JSON message | |
| json { | |
| source => "@message" | |
| target => "parsed_json_field" | |
| remove_field => [ "@message" ] | |
| add_field => { "parsed_json_field_name" => "%{[@source][component]}"} | |
| } | |
| if "_jsonparsefailure" in [tags] { | |
| # Amend the failure tag to match our fail/${addon}/${filter}/${detail} standard | |
| mutate { | |
| add_tag => ["fail/cloudfoundry/platform-vcap/json"] | |
| remove_tag => ["_jsonparsefailure"] | |
| } | |
| mutate { | |
| add_field => { "json_parsing" => "has failed" } | |
| } | |
| } else { | |
| mutate { | |
| rename => { "[parsed_json_field][message]" => "@message" } # @message | |
| } | |
| # mutate { | |
| # } | |
| # @level | |
| translate { | |
| field => "[parsed_json_field][log_level]" | |
| dictionary => [ "0", "DEBUG", "1", "INFO", "2", "ERROR", "3", "FATAL" ] | |
| destination => "@level" | |
| override => true | |
| fallback => "%{[parsed_json_field][log_level]}" | |
| remove_field => "[parsed_json_field][log_level]" | |
| } | |
| } | |
| } else { | |
| mutate { | |
| add_field => { "doesnt look like" => "json" } | |
| } | |
| } | |
| } | |
| } | |
| output { | |
| stdout { codec => rubydebug } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment