saliceti/logsearch_logstash.conf

## logsearch_logstash.conf
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {

  file {
    path => "/Users/colin/Documents/Boulot/gds/logstash/nginx_access.log"
    start_position => "beginning"
  }

}


filter {
  # Initialize @input, @shipper and @source
  mutate {
    add_field => { "@input" => "syslog" }

    replace => { "[@shipper][priority]" => "14" }
    replace => { "[@shipper][name]" => "vcap.auctioneer_syslog" }

    add_field => { "[@source][component]" => "vcap.auctioneer" }
    add_field => { "[@source][type]" => "syslog" }
  }

  if [@source][component] != "vcap.uaa" and [@source][component] =~ /vcap\..*/ {

      ruby {
        code => "event['[@source][component]'] = event['[@source][component]'][5..-1]" # minus "vcap." prefix
      }
      mutate {
        replace => { "@type" => "vcap" }
        add_tag => "vcap"
      }

      # Parse Cloud Foundry logs
      if [@message] =~ /^\s*{".*}\s*$/ { # looks like JSON

          # parse JSON message
          json {
            source => "@message"
            target => "parsed_json_field"
            remove_field => [ "@message" ]
            add_field => { "parsed_json_field_name" => "%{[@source][component]}"}
          }

          if "_jsonparsefailure" in [tags] {
              # Amend the failure tag to match our fail/${addon}/${filter}/${detail} standard
              mutate {
                add_tag => ["fail/cloudfoundry/platform-vcap/json"]
                remove_tag => ["_jsonparsefailure"]
              }
              mutate {
                add_field => { "json_parsing" => "has failed" }
              }

          } else {

              mutate {
                rename => { "[parsed_json_field][message]" => "@message" } # @message
              }

              # mutate {
              # }
              # @level
              translate {
                field => "[parsed_json_field][log_level]"
                dictionary => [ "0", "DEBUG", "1", "INFO", "2", "ERROR", "3", "FATAL" ]
                destination => "@level"
                override => true
                fallback => "%{[parsed_json_field][log_level]}"
                remove_field => "[parsed_json_field][log_level]"
              }
          }

      } else {
        mutate {
          add_field => { "doesnt look like" => "json" }
        }

      }

  }

}
output {
  stdout { codec => rubydebug }
}
	# The # character at the beginning of a line indicates a comment. Use
	# comments to describe your configuration.
	input {

	file {
	path => "/Users/colin/Documents/Boulot/gds/logstash/nginx_access.log"
	start_position => "beginning"
	}

	}


	filter {
	# Initialize @input, @shipper and @source
	mutate {
	add_field => { "@input" => "syslog" }

	replace => { "[@shipper][priority]" => "14" }
	replace => { "[@shipper][name]" => "vcap.auctioneer_syslog" }

	add_field => { "[@source][component]" => "vcap.auctioneer" }
	add_field => { "[@source][type]" => "syslog" }
	}

	if [@source][component] != "vcap.uaa" and [@source][component] =~ /vcap\..*/ {

	ruby {
	code => "event['[@source][component]'] = event['[@source][component]'][5..-1]" # minus "vcap." prefix
	}
	mutate {
	replace => { "@type" => "vcap" }
	add_tag => "vcap"
	}

	# Parse Cloud Foundry logs
	if [@message] =~ /^\s{".}\s*$/ { # looks like JSON

	# parse JSON message
	json {
	source => "@message"
	target => "parsed_json_field"
	remove_field => [ "@message" ]
	add_field => { "parsed_json_field_name" => "%{[@source][component]}"}
	}

	if "_jsonparsefailure" in [tags] {
	# Amend the failure tag to match our fail/${addon}/${filter}/${detail} standard
	mutate {
	add_tag => ["fail/cloudfoundry/platform-vcap/json"]
	remove_tag => ["_jsonparsefailure"]
	}
	mutate {
	add_field => { "json_parsing" => "has failed" }
	}

	} else {

	mutate {
	rename => { "[parsed_json_field][message]" => "@message" } # @message
	}

	# mutate {
	# }
	# @level
	translate {
	field => "[parsed_json_field][log_level]"
	dictionary => [ "0", "DEBUG", "1", "INFO", "2", "ERROR", "3", "FATAL" ]
	destination => "@level"
	override => true
	fallback => "%{[parsed_json_field][log_level]}"
	remove_field => "[parsed_json_field][log_level]"
	}
	}

	} else {
	mutate {
	add_field => { "doesnt look like" => "json" }
	}

	}

	}

	}
	output {
	stdout { codec => rubydebug }
	}