Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Where to get input
- input {
- # syslog inputs
- tcp {
- port => 5000
- type => "syslog"
- }
- udp {
- port => 5000
- type => "syslog"
- }
- # CoreOS journal input
- tcp {
- codec => "json_lines"
- port => 5004
- tags => ["coreos","docker"]
- type => "systemd"
- }
- # Logspout input
- tcp {
- codec => "json_lines"
- port => 5006
- tags => ["docker"]
- type => "logspout"
- }
- # Log4j application input
- log4j {
- codec => "json_lines"
- port => 4560
- tags => ["applogs"]
- type => "log4j"
- }
- }
- # Some Filtering
- filter {
- # syslog filter
- if [type] == "syslog" {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- }
- if !("_grokparsefailure" in [tags]) {
- mutate {
- replace => [ "message", "%{syslog_message}" ]
- }
- mutate {
- remove_field => [ "syslog_message" ]
- }
- }
- # Remove spurious fields that have names changed or been aggregated
- mutate {
- remove_field => [ "syslog_hostname", "syslog_timestamp" ]
- }
- }
- # systemd/journal filter (CoreOS)
- if [type] == "systemd" {
- mutate { rename => [ "MESSAGE", "message" ] }
- mutate { rename => [ "_SYSTEMD_UNIT", "program" ] }
- }
- # Docker filter
- if [tags] == "docker" {
- json {
- source => "message"
- }
- mutate {
- rename => [ "log", "message" ]
- }
- date {
- match => [ "time", "ISO8601" ]
- }
- }
- }
- # Where to send output
- output {
- # Send output to standard output device/interface
- stdout {
- codec => rubydebug
- }
- # Parse failed messages to separate index
- if "_grokparsefailure" in [tags] {
- elasticsearch {
- # host => ["localhost:9200"]
- host => ["ES_CONN_STR"]
- index => "parse-err-%{+YYYY.MM.dd}"
- protocol => "http"
- }
- }
- # Elasticsearch output
- elasticsearch {
- # host => ["localhost:9200"]
- host => ["ES_CONN_STR"]
- index => "cgidev-logstash-%{+YYYY.MM.dd}"
- protocol => "http"
- user => logstash
- password => logstash
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement