Skip to content

Instantly share code, notes, and snippets.

@wstrange

wstrange/logstash.conf

Created January 27, 2014 21:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save wstrange/8657448 to your computer and use it in GitHub Desktop.
Save wstrange/8657448 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
logstash.conf
input {
file {
type => idmRecon
start_position => beginning
path => "/opt/openidm/audit/recon.csv"
}
file {
type => idmActivity
start_position => beginning
path => "/opt/openidm/audit/activity.csv"
}
file {
type => amAccess
# start_position => beginning
path => "/opt/openam/openam-config/openam/log/amAuthentication.*"
}
}
filter {
if [type] == "idmRecon" {
csv {
columns => [
"idX","action","actionId","ambiguousTargetObjectIds","entryType","message","reconciling","reconId",
"rootActionId","situation","sourceObjectId","status","targetObjectId","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "idmActivity" {
csv {
columns => [
"_id","action","activityId","after","before","changedFields","message","objectId","parentActionid",
"passwordChanged","requester","rev","rootActionId","status","timestamp"
]
}
date {
match => ["timestamp", "ISO8601"]
}
}
if [type] == "amAccess" {
csv {
columns => [time,Data,LoginID,ContextID, IPAddr, LogLevel,
Domain, LoggedBy, MessageID, ModuleName, NameID, HostName]
separator => " "
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss"]
}
geoip {
database => "/usr/share/GeoIP/GeoIP.dat"
source => ["IPAddr"]
}
}
}
output {
# Use stdout in debug mode again to see what logstash makes of the event.
stdout {
debug => true
codec => rubydebug
}
elasticsearch { embedded => true }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment