Skip to content

Instantly share code, notes, and snippets.

@ssm

ssm/gist:9bd2e210b230d264bb9e0591398afe22

Created September 19, 2016 06:44
Show Gist options
  • Save ssm/9bd2e210b230d264bb9e0591398afe22 to your computer and use it in GitHub Desktop.
Save ssm/9bd2e210b230d264bb9e0591398afe22 to your computer and use it in GitHub Desktop.
Download ZIP
Logstash parsing dpkg.log
Raw
gistfile1.txt
else if [fields][log_format] == "dpkg" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
remove_field => [ "timestamp" ]
}
grok {
match => {
"message" => [
"^startup " ,
"^(?<_action>install|upgrade|configure|remove|purge) (?<_package>[^ :]+)(:(?<_architecture>\S+))? (?<_version>\S+) (?<_oldversion>\S+)",
"^status (?<_status>\S+) (?<_package>[^ :]+)(:(?<_architecture>\S+))? (?<_version>\S+)",
"^trigproc (?<_package>[^ :]+)(:(?<_architecture>\S+))? (?<_version>\S+)"
]
}
}
if [_package] {
mutate {
add_field => { "[package][name]" => "%{_package}" }
remove_field => [ "_package" ]
}
}
if [_architecture] {
mutate {
add_field => { "[package][architecture]" => "%{_architecture}" }
remove_field => [ "_architecture" ]
}
}
if [_version] {
mutate {
add_field => { "[package][version]" => "%{_version}" }
remove_field => [ "_version" ]
}
}
if [_oldversion] {
mutate {
add_field => { "[package][oldversion]" => "%{_oldversion}" }
remove_field => [ "_oldversion" ]
}
}
if [_action] {
mutate {
add_field => { "[package][action]" => "%{_action}" }
remove_field => [ "_action" ]
}
}
if [_status] {
mutate {
add_field => { "[package][status]" => "%{_status}" }
remove_field => [ "_status" ]
}
}
}
@runningman84
Copy link

Does this work for you? My tests look good so far...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment