tolleiv/php.conf

## php.conf
#
# Configure php error log filtering
#
filter {
	if [type] == "php-error" {
		multiline {
			pattern => "%{SYSLOG5424SD:timestamp} PHP (?:%{LOGLEVEL:loglevel})"
			negate => true
			what => "previous"
		}
		grok {
			patterns_dir => "patterns"
			match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:timezone}/%{WORD:country}\] PHP (?:%{LOGLEVEL:loglevel})(?:%{GREEDYDATA:error})" ]
			add_field    => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{timezone}/%{country}" }
			remove_field => [ "day", "month", "year", "time", "timezone", "country" ]
			tag_on_failure => [ "failure_grok_php-error" ]
		}
		mutate {
			uppercase => [ "loglevel" ]
		}
		date {
			match        => [ "timestamp" , "yyyy-MM-dd HH:mm:ss", "dd-MMM-yyyy HH:mm:ss ZZZ" ]
			target       => "@timestamp"
			remove_field => "timestamp"
		}
	}
}
	#
	# Configure php error log filtering
	#
	filter {
	if [type] == "php-error" {
	multiline {
	pattern => "%{SYSLOG5424SD:timestamp} PHP (?:%{LOGLEVEL:loglevel})"
	negate => true
	what => "previous"
	}
	grok {
	patterns_dir => "patterns"
	match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:timezone}/%{WORD:country}\] PHP (?:%{LOGLEVEL:loglevel})(?:%{GREEDYDATA:error})" ]
	add_field => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{timezone}/%{country}" }
	remove_field => [ "day", "month", "year", "time", "timezone", "country" ]
	tag_on_failure => [ "failure_grok_php-error" ]
	}
	mutate {
	uppercase => [ "loglevel" ]
	}
	date {
	match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss", "dd-MMM-yyyy HH:mm:ss ZZZ" ]
	target => "@timestamp"
	remove_field => "timestamp"
	}
	}
	}