logstash confs

1. ## 01-s3.json
2.  
3. input {
4. file {
5. type => "s3-access-log"
6. path => "/var/log/tto_statics_s3.log"
7. sincedb_path => "/dev/null"
8. }
9. }
10. filter {
11. if [type] == "s3-access-log" {
12. grok {
13. patterns_dir => ["/etc/logstash/conf.d/patterns"]
14. match => { "message" => "%{S3_ACCESS_LOG}" }
15. remove_field => ["message"]
16. }
17. date {
18. match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
19. remove_field => ["timestamp"]
20. }
21. }
22. }
23. output {
24. elasticsearch { host => localhost }
25. stdout { codec => rubydebug }
26. }
27.  
28. ## /etc/logstash/conf.d/patterns/aws
29. S3_REQUEST_LINE (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
30.  
31. S3_ACCESS_LOG %{WORD:owner} %{NOTSPACE:bucket} \[%{HTTPDATE:timestamp}\] %{IP:clientip} %{NOTSPACE:requester} %{NOTSPACE:request_id} %{NOTSPACE:operation} %{NOTSPACE:key} (?:"%{S3_REQUEST_LINE}"|-) (?:%{INT:response:int}|-) (?:-|%{NOTSPACE:error_code}) (?:%{INT:bytes:int}|-) (?:%{INT:object_size:int}|-) (?:%{INT:request_time_ms:int}|-) (?:%{INT:turnaround_time_ms:int}|-) (?:%{QS:referrer}|-) (?:"?%{QS:agent}"?|-) (?:-|%{NOTSPACE:version_id})
32.  
33. ELB_URIPATHPARAM %{URIPATH:path}(?:%{URIPARAM:params})?
34.  
35. ELB_URI %{URIPROTO:proto}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST:urihost})?(?:%{ELB_URIPATHPARAM})?
36.  
37. ELB_REQUEST_LINE (?:%{WORD:verb} %{ELB_URI:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
38.  
39. ELB_ACCESS_LOG %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:elb} %{IP:clientip}:%{INT:clientport:int} %{IP:backendip}:%{INT:backendport:int} %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} %{INT:response:int} %{INT:backend_response:int} %{INT:received_bytes:int} %{INT:bytes:int} "%{ELB_REQUEST_LINE}"