Created
January 27, 2014 03:10
-
-
Save zsprackett/8642741 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
tcp { | |
port => 1514 | |
type => syslog | |
} | |
udp { | |
port => 1514 | |
type => syslog | |
} | |
tcp { | |
port => 5140 | |
type => syslog | |
} | |
udp { | |
port => 5140 | |
type => syslog | |
} | |
} | |
filter { | |
if [type] == "syslog" { | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
overwrite => "message" | |
match => { | |
"message" => "^(?:<%{POSINT:syslog_pri}>)?%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_host} (?:%{PROG:program}(?:\[%{POSINT:pid}\])?: )?%{GREEDYDATA:message}" | |
} | |
} | |
date { | |
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"] | |
} | |
syslog_pri {} | |
mutate { | |
replace => ["host", "%{syslog_host}"] | |
remove_field => ["syslog_host", "syslog_timestamp"] | |
} | |
} | |
if [program] == "apache-access" { | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
match => { | |
"message" => "^%{IPORHOSTORDASH:vhost} %{IPORHOSTORDASH:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:accept_date}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})\" %{NUMBER:http_status_code} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:useragent}" | |
} | |
} | |
mutate { | |
replace => [ "type", "apache-access" ] | |
convert => [ "http_status_code", "integer" ] | |
convert => [ "bytes_read", "integer" ] | |
uppercase => [ "http_verb" ] | |
} | |
} else if [program] == "apache-error" { | |
mutate { | |
replace => [ "type", "apache-error" ] | |
} | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
match => { | |
"message" => [ | |
"^\[%{APACHEERRORDATE:accept_date}\] \[error\] \[client %{IP:client_ip}\]" | |
] | |
} | |
} | |
if !("_grokparsefailure" in [tags]) { | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
break_on_match => "false" | |
tag_on_failure => "false" | |
match => { | |
message => [ | |
"in %{PATH:absolute_path} on line %{POSINT:line_number}", | |
"exist: %{PATH:absolute_path}" | |
] | |
} | |
} | |
if [absolute_path] { | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
tag_on_failure => "false" | |
match => { | |
absolute_path => [ | |
"^/mnt/%{PATHCOMPONENT:cluster}/%{PATHCOMPONENT:store}/%{PATHCOMPONENT:domain}/%{PATHCOMPONENT:instance}", | |
"^/var/www/%{PATHCOMPONENT:cluster}/%{PATHCOMPONENT:domain}/%{PATHCOMPONENT:instance}" | |
] | |
} | |
} | |
if [domain] and [instance] { | |
mutate { | |
add_field => [ "vhost", "%{instance}.%{domain}" ] | |
remove_field => [ "instance", "cluster", "store" ] | |
} | |
} | |
} | |
} | |
} else if [program] == "haproxy" { | |
grok { | |
patterns_dir => [ "/etc/logstash/patterns" ] | |
match => { | |
"message" => "^%{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?\"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"" | |
} | |
} | |
mutate { | |
replace => [ "type", "haproxy" ] | |
convert => [ "time_request", "integer" ] | |
convert => [ "time_queue", "integer" ] | |
convert => [ "time_backend_connect", "integer" ] | |
convert => [ "time_backend_response", "integer" ] | |
convert => [ "time_duration", "integer" ] | |
convert => [ "http_status_code", "integer" ] | |
convert => [ "bytes_read", "integer" ] | |
uppercase => [ "http_verb" ] | |
} | |
} else if [program] == "nannybot" { | |
mutate { | |
replace => ["type", "nannybot"] | |
} | |
} else if [program] == "rails-delayed_jobs" { | |
mutate { | |
replace => ["type", "delayed_jobs"] | |
} | |
} | |
} | |
output { | |
file { | |
path => "/var/log/aggregate/%{type}.%{+yyyy-MM-dd}" | |
} | |
gelf { | |
host => "ops-log1-dnslb.sjc.sugarcrm.pvt" | |
port => "12201" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment