API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 19th, 2017
84
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.54 KB | None | 0 0
raw download clone embed print report diff
  1. # Where to get input
  2. input {
  3. # syslog inputs
  4. tcp {
  5. port => 5000
  6. type => "syslog"
  7. }
  8. udp {
  9. port => 5000
  10. type => "syslog"
  11. }
  12.  
  13. # NAGIOS input
  14. tcp {
  15. port => 5044
  16. tags => ["nagios"]
  17. type => "nagios"
  18. }
  19.  
  20. # Logspout input
  21. tcp {
  22. codec => "json_lines"
  23. port => 5006
  24. tags => ["docker"]
  25. type => "logspout"
  26. }
  27.  
  28. # Log4j application input
  29. log4j {
  30. codec => "json_lines"
  31. port => 4560
  32. tags => ["applogs"]
  33. type => "log4j"
  34. }
  35. }
  36.  
  37. # Some Filtering
  38. filter {
  39. # syslog filter
  40. if [type] == "syslog" {
  41. grok {
  42. match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  43. add_field => [ "received_at", "%{@timestamp}" ]
  44. add_field => [ "received_from", "%{host}" ]
  45. }
  46. syslog_pri { }
  47. date {
  48. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
  49. }
  50.  
  51. if !("_grokparsefailure" in [tags]) {
  52. mutate {
  53. replace => [ "message", "%{syslog_message}" ]
  54. }
  55.  
  56. mutate {
  57. remove_field => [ "syslog_message" ]
  58. }
  59. }
  60.  
  61. # Remove spurious fields that have names changed or been aggregated
  62. mutate {
  63. remove_field => [ "syslog_hostname", "syslog_timestamp" ]
  64. }
  65. }
  66.  
  67. # systemd/journal filter (CoreOS)
  68. if [type] == "systemd" {
  69. mutate { rename => [ "MESSAGE", "message" ] }
  70. mutate { rename => [ "_SYSTEMD_UNIT", "program" ] }
  71. }
  72.  
  73. #Nagios filter
  74. if [type] == "nagios" {
  75. grok {
  76. match => { "message" => "%{NAGIOSLOGLINE}" }
  77. }
  78. }
  79.  
  80. # Docker filter
  81. if [tags] == "docker" {
  82. json {
  83. source => "message"
  84. }
  85. mutate {
  86. rename => [ "log", "message" ]
  87. }
  88. date {
  89. match => [ "time", "ISO8601" ]
  90. }
  91. }
  92. }
  93.  
  94. # Where to send output
  95. output {
  96. # Send output to standard output device/interface
  97. stdout {
  98. codec => rubydebug
  99. }
  100.  
  101. # Parse failed messages to separate index
  102. if "_grokparsefailure" in [tags] {
  103. elasticsearch {
  104. # host => ["localhost:9200"]
  105. host => ["ES_CONN_STR"]
  106. index => "cgidev-parse-err-%{+YYYY.MM.dd}"
  107. protocol => "http"
  108. user => logstash
  109. password => logstash
  110. }
  111. }
  112.  
  113. # Elasticsearch output
  114. elasticsearch {
  115. # host => ["localhost:9200"]
  116. host => ["ES_CONN_STR"]
  117. index => "cgidev-logstash-%{+YYYY.MM.dd}"
  118. protocol => "http"
  119. user => logstash
  120. password => logstash
  121. }
  122. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!