API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 8th, 2020
159
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.50 KB | None | 0 0
raw download clone embed print report
  1. input {
  2. beats {
  3. port => 5044
  4. }
  5. }
  6. filter {
  7. if "beats_input_codec_plain_applied" in [tags] {
  8. mutate {
  9. remove_tag => ["beats_input_codec_plain_applied"]
  10. }
  11. }
  12. if [fileset][name] == "access" {
  13.  
  14. grok {
  15. match => {
  16. "message" => ['^\"%{HTTPDATE:[nginx][access][time]}\" client=%{IPORHOST:[nginx][access][remote_ip]} method=%{WORD:[nginx][access][method]} request=\"%{WORD:verb} %{URIPATHPARAM:[nginx][access][request_path]} HTTP/%{NUMBER:[nginx][access][http_version]}\" request_length=(?:%{NUMBER:[nginx][access][request_length]}|-) status=%{NUMBER:[nginx][access][response_code]} bytes_sent=(?:%{NUMBER:[nginx][access][bytes_sent]}|-) body_bytes_sent=%{NUMBER:[nginx][access][body_sent][bytes]} referer=((?:%{URI:referrer}|-)|%{QS:referrer}) user_agent=%{QS:[nginx][access][agent]} upstream_addr=%{GREEDYDATA:[nginx][access][upstream_addr]} upstream_status=(%{NUMBER:[upstream][access][status_code]}|-) request_time=(?:%{NUMBER:[nginx][access][request_time]}|-) ssl_session_reused=(?:%{WORD:ssl_session_reused}|\.|-) upstream_response_time=(?:%{NUMBER:[upstream][access][response_time]}|-) upstream_connect_time=(?:%{NUMBER:[upstream][access][connect_time]}|-) upstream_header_time=(?:%{NUMBER:[upstream][access][header_time]}|-)', '^\"%{HTTPDATE:[nginx][access][time]}\" client=%{IPORHOST:[nginx][access][remote_ip]} method=- request=\"%{WORD:[nginx][access][method]} %{URIHOST:[nginx][access][request_path]} HTTP/%{NUMBER:[nginx][access][http_version]}\" request_length=(?:%{NUMBER:[nginx][access][request_length]}|-) status=%{NUMBER:[nginx][access][response_code]} bytes_sent=(?:%{NUMBER:[nginx][access][bytes_sent]}|-) body_bytes_sent=%{NUMBER:[nginx][access][body_sent][bytes]} referer=((?:%{URI:referrer}|-)|%{QS:referrer}) user_agent=%{QS:[nginx][access][agent]} upstream_addr=%{GREEDYDATA:[nginx][access][upstream_addr]} upstream_status=(%{NUMBER:[upstream][access][status_code]}|-) request_time=(?:%{NUMBER:[nginx][access][request_time]}|-) ssl_session_reused=(?:%{WORD:ssl_session_reused}|\.|-) upstream_response_time=(?:%{NUMBER:[upstream][access][response_time]}|-) upstream_connect_time=(?:%{NUMBER:[upstream][access][connect_time]}|-) upstream_header_time=(?:%{NUMBER:[upstream][access][header_time]}|-)']
  17. }
  18. remove_field => "message"
  19. }
  20. if [nginx][access][status_code] != ''{
  21. mutate {
  22. convert => {
  23. "[nginx][access][status_code]" => "integer"
  24. }
  25. }
  26. }
  27.  
  28.  
  29. if [nginx][access][bytes_sent] != '' {
  30. mutate {
  31. convert => {
  32. "[nginx][access][bytes_sent]" => "integer"
  33. }
  34. }
  35. }
  36. if [nginx][access][body_sent][bytes] != '' {
  37. mutate {
  38. convert => {
  39. "[nginx][access][body_sent][bytes]" => "integer"
  40. }
  41. }
  42. }
  43. if [upstream][access][status_code] != '' {
  44. mutate {
  45. convert => {
  46. "[upstream][access][status_code]" => "integer"
  47. }
  48. }
  49. }
  50. if [nginx][access][request_length] != '' {
  51. mutate {
  52. convert => {
  53. "[nginx][access][request_length]" => "integer"
  54. }
  55. }
  56. }
  57. if [nginx][access][request_time] != '' {
  58. mutate {
  59. convert => {
  60. "[nginx][access][request_time]" => "float"
  61. }
  62. }
  63. }
  64. if [upstream][access][response_time] != '' {
  65. mutate {
  66. convert => {
  67. "[upstream][access][response_time]" => "float"
  68. }
  69. }
  70. }
  71. if [upstream][access][connect_time] != '' {
  72. mutate {
  73. convert => {
  74. "[upstream][access][connect_time]" => "float"
  75. }
  76. }
  77. }
  78. if [upstream][access][header_time] != '' {
  79. mutate {
  80. convert => {
  81. "[upstream][access][header_time]" => "float"
  82. }
  83. }
  84. }
  85. mutate {
  86. add_field => { "read_timestamp" => "%{@timestamp}" }
  87. convert => {
  88. "[nginx][access][http_version]" => "float"
  89. }
  90.  
  91. }
  92. date {
  93. match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
  94. remove_field => "[nginx][access][time]"
  95. }
  96. useragent {
  97. source => "[nginx][access][agent]"
  98. target => "[nginx][access][user_agent]"
  99. remove_field => "[nginx][access][agent]"
  100. }
  101. geoip {
  102. source => "[nginx][access][remote_ip]"
  103. target => "[nginx][access][geoip]"
  104. }
  105. }
  106. else if [fileset][name] == "error" {
  107. grok {
  108. match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }
  109. remove_field => "message"
  110. }
  111. mutate {
  112. rename => { "@timestamp" => "read_timestamp" }
  113. }
  114. date {
  115. match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]
  116. remove_field => "[nginx][error][time]"
  117. }
  118. }
  119. }
  120. output {
  121. if "_grokparsefailure" in [tags] {
  122. file { path => "/tmp/grok_failures.txt" }
  123. }
  124. else {
  125. elasticsearch {
  126. hosts => "https://UNIQUE_HOST.eu-west-1.aws.found.io:9243"
  127. user => "elastic"
  128. password => "password"
  129. index => "filebeat-2020-07-07-15-01"
  130. }
  131. }
  132. # stdout { codec => rubydebug }
  133. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!