Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- touch /etc/logstash/conf.d/mysql-filter.conf
- input {
- beats {
- port => 5044
- host => "0.0.0.0"
- }
- }
- filter {
- if [fileset][module] == "mysql" {
- if [fileset][name] == "error" {
- grok {
- match => { "message" => ["%{LOCALDATETIME:[mysql][error][timestamp]} (\[%{DATA:[mysql][error][level]}\] )?%{GREEDYDATA:[mysql][error][message]}",
- "%{TIMESTAMP_ISO8601:[mysql][error][timestamp]} %{NUMBER:[mysql][error][thread_id]} \[%{DATA:[mysql][error][level]}\] %{GREEDYDATA:[mysql][error][message1]}",
- "%{GREEDYDATA:[mysql][error][message2]}"] }
- pattern_definitions => {
- "LOCALDATETIME" => "[0-9]+ %{TIME}"
- }
- remove_field => "message"
- }
- mutate {
- rename => { "[mysql][error][message1]" => "[mysql][error][message]" }
- }
- mutate {
- rename => { "[mysql][error][message2]" => "[mysql][error][message]" }
- }
- date {
- match => [ "[mysql][error][timestamp]", "ISO8601", "YYMMdd H:m:s" ]
- remove_field => "[mysql][error][time]"
- }
- }
- else if [fileset][name] == "slowlog" {
- grok {
- match => { "message" => ["^# User@Host: %{USER:[mysql][slowlog][user]}(\[[^\]]+\])? @ %{HOSTNAME:[mysql][slowlog][host]} \[(IP:[mysql][slowlog][ip])?\](\s*Id:\s* %{NUMBER:[mysql][slowlog][id]})?\n# Query_time: %{NUMBER:[mysql][slowlog][query_time][sec]}\s* Lock_time: %{NUMBER:[mysql][slowlog][lock_time][sec]}\s* Rows_sent: %{NUMBER:[mysql][slowlog][rows_sent]}\s* Rows_examined: %{NUMBER:[mysql][slowlog][rows_examined]}\n(SET timestamp=%{NUMBER:[mysql][slowlog][timestamp]};\n)?%{GREEDYMULTILINE:[mysql][slowlog][query]}"] }
- pattern_definitions => {
- "GREEDYMULTILINE" => "(.|\n)*"
- }
- remove_field => "message"
- }
- date {
- match => [ "[mysql][slowlog][timestamp]", "UNIX" ]
- }
- mutate {
- gsub => ["[mysql][slowlog][query]", "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\\.[0-9]+)?$", ""]
- }
- }
- }
- }
- output {
- elasticsearch {
- hosts => localhost
- manage_template => false
- index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement