#!/usr/bin/rubyrequire 'rubygems'require 'aws/s3'# for non-us buckets, we n

1. #!/usr/bin/ruby
2.  
3. require 'rubygems'
4. require 'aws/s3'
5.  
6. # for non-us buckets, we need to change the endpoint
7. AWS.config(:s3_endpoint => "s3-eu-west-1.amazonaws.com")
8.  
9. # connect to S3
10. s3 = AWS::S3.new(:access_key_id => S3_ACCESS_KEY, :secret_access_key => S3_SECRET_KEY)
11.  
12. # grab the bucket where the logs are stored
13. bucket = s3.buckets[BUCKET_NAME]
14.  
15. File.open("/var/log/s3_bucket.log", 'w') do |file|
16.  
17. # grab all the objects in the bucket, can also use a prefix here and limit what S3 returns
18. bucket.objects.with_prefix('staticassets-logs/').each do |log|
19. log.read do |line|
20. file.write(line)
21. end
22. end
23. end
24.  
25. #!/bin/bash
26. export PATH=$PATH:/bin:/usr/bin
27. cd /var/log/s3/$S3_BUCKET/
28. export s3url=s3://$S3_BUCKET/$S3_PREFIX
29. s3cmd -c /home/logstash/.s3cfg sync --skip-existing $s3url .
30.  
31. input {
32. file {
33. type => "s3-access-log"
34. path => "/var/log/s3/$S3_BUCKET/$S3_BUCKET/*"
35. sincedb_path => "/dev/null"
36. start_position => "beginning"
37. }
38. }
39. filter {
40. if [type] == "s3-access-log" {
41. grok {
42. patterns_dir => ["/etc/logstash/conf.d/patterns"]
43. match => { "message" => "%{S3_ACCESS_LOG}" }
44. remove_field => ["message"]
45. }
46. date {
47. match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
48. remove_field => ["timestamp"]
49. }
50. }
51. }
52. output {
53. elasticsearch { host => localhost }
54. stdout { codec => rubydebug }
55. }