input { amqp { exchange_type => "topic" name => "logqueue1"

1. input {
2. amqp {
3. exchange_type => "topic"
4. name => "logqueue1"
5. port => 5672
6. type => "json_event"
7. debug => false
8. host => "logqueue1"
9. password => "logstash"
10. user => "logstash"
11. durable => false
12. vhost => "/raw_logs"
13. }
14. }
15. filter {
16. multiline {
17. pattern => "^\tat.*"
18. type => "mccommon"
19. what => "previous"
20. }
21. multiline {
22. pattern => "^\w*[0-9]:in `.*"
23. type => "mccommon"
24. what => "previous"
25. }
26. multiline {
27. pattern => "^([a-zA-Z0-9-]+\.)+[A-Za-z0-9]+(: ([a-zA-Z0-9-]+\.)+[A-Za-z0-9]+)?$"
28. type => "mccommon"
29. what => "previous"
30. }
31. grep {
32. negate => true
33. listenerError => "^.*error in listener, dont know what to do, continuing."
34. }
35. grok {
36. pattern => "%{TIMESTAMP_ISO8601:timestamp} [|] (?:%{guid=(?:\w{8}-(?:\w{4}-){3}\w{12})}|\s)? [|] \s*%{level=(?:TRACE|DEBUG|FATAL|ERROR|WARN|INFO)} [|] (?:%{JAVACLASS:javaclass}|%{WORD:javaclass}) [|] %{DATA:thread}? [|].*"
37. type => "mccommon"
38. }
39. date {
40. timestamp => "yyyy-MM-dd HH:mm:ss,SSS"
41. type => "mccommon"
42. }
43. multiline {
44. pattern => "^ \S+:-?\d+(:in `.+')?$"
45. type => "trinidad"
46. what => "previous"
47. }
48. multiline {
49. pattern => "^\tfrom.*"
50. type => "trinidad"
51. what => "previous"
52. }
53. multiline {
54. pattern => "^\s:[0-9]+$"
55. type => "trinidad"
56. what => "previous"
57. }
58. multiline {
59. pattern => "^$"
60. type => "trinidad"
61. what => "previous"
62. }
63. grok {
64. pattern => ["%{timestamp=%{MONTH} %{MONTHDAY}, %{YEAR} 1?\d:%{MINUTE}:%{SECOND} (?:A|P)M} (?:%{JAVACLASS:javaclass}|%{javaclass=[A-Za-z0-9.$]+}) <?%{javamethod=\w+}>?", "%{RUBY_LOGLEVEL:level}: %{exception=\w+(?:[:]{2}\w+)? -.*:$}", "%{RUBY_LOGLEVEL:level}: %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{URIPATHPARAM:request} (?:HTTP/%{NUMBER:httpversion})?\" %{NUMBER:response} (?:%{NUMBER:bytes:int}|-) (?:%{NUMBER:responsetime:float}|-)", "%{RUBY_LOGLEVEL:level}: .*"]
65. type => "trinidad"
66. }
67. multiline {
68. pattern => "^(DEBUG|FATAL|ERROR|WARN|INFO):"
69. type => "trinidad"
70. what => "previous"
71. }
72. date {
73. timestamp => "MMM dd, yyyy h:mm:ss a"
74. type => "trinidad"
75. }
76. grok {
77. pattern => "%{COMBINEDAPACHELOG} %{QS:xforwardedfor} %{NUMBER:request_time:float}"
78. type => "nginxaccess"
79. }
80. date {
81. timestamp => "dd/MMM/YYYY:HH:mm:ss Z"
82. type => "nginxaccess"
83. }
84. grok {
85. pattern => "%{timestamp=%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}} \[%{level=(?:debug|info|notice|warn|error|crit)}\] %{INT:pid}#%{INT:thread}: \*%{INT:connection} %{DATA:error_message}, client: %{IPORHOST:client}, server: %{IPORHOST:server}, request: \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\",(?: upstream: \"%{URI:upstream_uri}\",)? host: \"(?:%{IPORHOST:host}|%{HOSTPORT:host})?\""
86. type => "nginxerror"
87. }
88. }
89. output {
90. amqp {
91. exchange_type => "topic"
92. name => "logqueue2"
93. port => 5672
94. debug => false
95. host => "logqueue2"
96. password => "logstash"
97. user => "logstash"
98. durable => false
99. vhost => "/filtered_logs"
100. }
101. }