API tools faq
paste
karthikvee

logstash-filters-config-for-openstack

karthikvee
Aug 17th, 2017
132
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JSON 6.36 KB | None | 0 0
raw download clone embed print report
  1. input {
  2.   file {
  3.     path => ['/var/log/nova/nova-api.log']
  4.     tags => ['nova', 'oslofmt']
  5.     type => "nova"
  6.   }
  7.   file {
  8.     path => ['/var/log/nova/nova-conductor.log']
  9.     tags => ['nova', 'oslofmt']
  10.     type => "nova"
  11.   }
  12.   file {
  13.     path => ['/var/log/nova/nova-manage.log']
  14.     tags => ['nova', 'oslofmt']
  15.     type => "nova"
  16.   }
  17.   file {
  18.     path => ['/var/log/nova/nova-scheduler.log']
  19.     tags => ['nova', 'oslofmt']
  20.     type => "nova"
  21.   }
  22. file {
  23.     path => ['/var/log/keystone/keystone-wsgi-admin.log']
  24.     tags => ['keystone', 'keystonefmt']
  25.     type => "keystone"
  26.   }
  27.   file {
  28.     path => ['/var/log/keystone/keystone-manage.log']
  29.     tags => ['keystone', 'keystonefmt']
  30.     type => "keystone"
  31.   }
  32.   file {
  33.     path => ['/var/log/keystone/keystone-wsgi-public.log']
  34.     tags => ['keystone', 'keystonefmt']
  35.     type => "keystone"
  36.   }
  37.   file {
  38.     path => ['/var/log/glance/glance-api.log']
  39.     tags => ['glance', 'oslofmt']
  40.     type => "glance"
  41.   }
  42. file {
  43.     path => ['/var/log/glance/glance-registry.log']
  44.     tags => ['glance', 'oslofmt']
  45.     type => "glance"
  46.   }
  47.   file {
  48.     path => ['/var/log/neutron/neutron-server.log']
  49.     tags => ['neutron', 'oslofmt']
  50.     type => "neutron"
  51.   }
  52. }
  53.  
  54.  
  55. filter {
  56.   if "oslofmt" in [tags] {
  57.     multiline {
  58.       negate => true
  59.       pattern => "^%{TIMESTAMP_ISO8601} "
  60.       what => "previous"
  61.     }
  62.     multiline {
  63.       negate => false
  64.       pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}?%{SPACE}?TRACE"
  65.       what => "previous"
  66.     }
  67.     grok {
  68.       # Do multiline matching as the above mutliline filter may add newlines
  69.       # to the log messages.
  70.       # TODO move the LOGLEVELs into a proper grok pattern.
  71.       match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }
  72.       add_field => { "received_at" => "%{@timestamp}" }
  73.     }
  74.     if [module] == "iso8601.iso8601" {
  75.       drop {}
  76.     }
  77.  
  78.     if "keystone" in [tags] {
  79.        mutate {
  80.             gsub => ['logmessage',"\"",""]
  81.        }
  82.        grok {
  83.           match => { "logmessage" => "\[\-\] %{NOTSPACE:requesterip} \- \- \[%{NOTSPACE:req_date} %{NOTSPACE:req_time}\] %{NOTSPACE:method} %{NOTSPACE:url_path} %{NOTSPACE:http_ver} %{NUMBER:response} %{NUMBER:bytes} %{NUMBER:seconds}" }
  84.           add_field => ["api", "keystone"]
  85.           add_tag => ["apimetrics"]
  86.        }
  87.     } else if "nova" in [tags] {
  88.        if [module] == "nova.osapi_compute.wsgi.server" {
  89.          mutate {
  90.               gsub => ['logmessage',"\"",""]
  91.          }
  92.          grok {
  93.             match => { "logmessage" => "\[req\-%{NOTSPACE:requestid} %{NOTSPACE:user_id} %{NOTSPACE:tenant}\] %{NOTSPACE:requesterip} %{NOTSPACE:method} %{NOTSPACE:url_path} %{NOTSPACE:http_ver} status\: %{NUMBER:response} len\: %{NUMBER:bytes} time\: %{NUMBER:seconds}" }
  94.             add_field => ["api", "nova"]
  95.             add_tag => ["apimetrics"]
  96.          }
  97.        }
  98.     } else if "neutron" in [tags] {
  99.        if [module] == "neutron.wsgi" {
  100.          if "accepted" not in [logmessage] {
  101.            mutate {
  102.                 gsub => ['logmessage',"\"",""]
  103.            }
  104.            grok {
  105.               match => { "logmessage" => "\[req\-%{NOTSPACE:requestid} %{NOTSPACE:user_id} %{NOTSPACE:tenant}\] %{NOTSPACE:requesterip} \- \- \[%{NOTSPACE:req_date} %{NOTSPACE:req_time}\] %{NOTSPACE:method} %{NOTSPACE:url_path} %{NOTSPACE:http_ver} %{NUMBER:response} %{NUMBER:bytes} %{NUMBER:seconds}" }
  106.               add_field => ["api", "neutron"]
  107.               add_tag => ["apimetrics"]
  108.            }
  109.          }
  110.        }
  111.     } else if "glance" in [tags] {
  112.        if [module] == "glance.wsgi.server" {
  113.          mutate {
  114.               gsub => ['logmessage',"\"",""]
  115.          }
  116.          grok {
  117.             match => { "logmessage" => "\[%{NOTSPACE:requestid} %{NOTSPACE:user_id} %{NOTSPACE:tenant} \- \- \-\] %{NOTSPACE:requesterip} \- \- \[%{NOTSPACE:req_date} %{NOTSPACE:req_time}\] %{NOTSPACE:method} %{NOTSPACE:url_path} %{NOTSPACE:http_ver} %{NUMBER:response} %{NUMBER:bytes} %{NUMBER:seconds}" }
  118.             add_field => ["api", "glance"]
  119.             add_tag => ["apimetrics"]
  120.          }
  121.        }
  122.     } else if "novametaapi" in [tags] {
  123.        mutate {
  124.             gsub => ['logmessage',"\"",""]
  125.        }
  126.        if [module] == "nova.api.ec2" {
  127.          grok {
  128.             match => { "logmessage" => "\[%{GREEDYDATA:requestid}\] %{NUMBER:seconds}s %{NOTSPACE:requesterip} %{NOTSPACE:method} %{NOTSPACE:url_path} None\:None %{NUMBER:response} %{GREEDYDATA:user_agent}" }
  129.             add_field => ["api", "metadata-ec2"]
  130.             add_tag => ["apimetrics"]
  131.          }
  132.        } else if [module] == "nova.metadata.wsgi.server" {
  133.          grok {
  134.             match => { "logmessage" => "\[%{GREEDYDATA:requestid}\] %{NOTSPACE:requesterip} %{NOTSPACE:method} %{NOTSPACE:url_path} %{NOTSPACE:http_ver} status\: %{NUMBER:response} len\: %{NUMBER:bytes} time\: %{NUMBER:seconds}" }
  135.             add_field => ["api", "metadata"]
  136.             add_tag => ["apimetrics"]
  137.          }
  138.        }
  139.     }
  140.   } else if "libvirt" in [tags] {
  141.     grok {
  142.        match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}:%{SPACE}%{NUMBER:code}:?%{SPACE}\[?\b%{NOTSPACE:loglevel}\b\]?%{SPACE}?:?%{SPACE}\[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }
  143.        add_field => { "received_at" => "%{@timestamp}"}
  144.     }
  145.     mutate {
  146.        uppercase => [ "loglevel" ]
  147.     }
  148.   } else if [type] == "syslog" {
  149.      grok {
  150.         match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:logmessage}" }
  151.         add_field => [ "received_at", "%{@timestamp}" ]
  152.      }
  153.      syslog_pri {
  154.         severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ]
  155.      }
  156.      date {
  157.         match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  158.      }
  159.      if !("_grokparsefailure" in [tags]) {
  160.         mutate {
  161.            replace => [ "@source_host", "%{syslog_hostname}" ]
  162.         }
  163.      }
  164.      mutate {
  165.         remove_field => [ "syslog_hostname", "syslog_timestamp" ]
  166.         add_field => [ "loglevel", "%{syslog_severity}" ]
  167.         add_field => [ "module", "%{syslog_program}" ]
  168.      }
  169.   }
  170. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!