mysql-filter.conf

1. touch /etc/logstash/conf.d/mysql-filter.conf
2.  
3. input {
4. beats {
5. port => 5044
6. host => "0.0.0.0"
7. }
8. }
9. filter {
10. if [fileset][module] == "mysql" {
11. if [fileset][name] == "error" {
12. grok {
13. match => { "message" => ["%{LOCALDATETIME:[mysql][error][timestamp]} (\[%{DATA:[mysql][error][level]}\] )?%{GREEDYDATA:[mysql][error][message]}",
14. "%{TIMESTAMP_ISO8601:[mysql][error][timestamp]} %{NUMBER:[mysql][error][thread_id]} \[%{DATA:[mysql][error][level]}\] %{GREEDYDATA:[mysql][error][message1]}",
15. "%{GREEDYDATA:[mysql][error][message2]}"] }
16. pattern_definitions => {
17. "LOCALDATETIME" => "[0-9]+ %{TIME}"
18. }
19. remove_field => "message"
20. }
21. mutate {
22. rename => { "[mysql][error][message1]" => "[mysql][error][message]" }
23. }
24. mutate {
25. rename => { "[mysql][error][message2]" => "[mysql][error][message]" }
26. }
27. date {
28. match => [ "[mysql][error][timestamp]", "ISO8601", "YYMMdd H:m:s" ]
29. remove_field => "[mysql][error][time]"
30. }
31. }
32. else if [fileset][name] == "slowlog" {
33. grok {
34. match => { "message" => ["^# User@Host: %{USER:[mysql][slowlog][user]}(\[[^\]]+\])? @ %{HOSTNAME:[mysql][slowlog][host]} \[(IP:[mysql][slowlog][ip])?\](\s*Id:\s* %{NUMBER:[mysql][slowlog][id]})?\n# Query_time: %{NUMBER:[mysql][slowlog][query_time][sec]}\s* Lock_time: %{NUMBER:[mysql][slowlog][lock_time][sec]}\s* Rows_sent: %{NUMBER:[mysql][slowlog][rows_sent]}\s* Rows_examined: %{NUMBER:[mysql][slowlog][rows_examined]}\n(SET timestamp=%{NUMBER:[mysql][slowlog][timestamp]};\n)?%{GREEDYMULTILINE:[mysql][slowlog][query]}"] }
35. pattern_definitions => {
36. "GREEDYMULTILINE" => "(.|\n)*"
37. }
38. remove_field => "message"
39. }
40. date {
41. match => [ "[mysql][slowlog][timestamp]", "UNIX" ]
42. }
43. mutate {
44. gsub => ["[mysql][slowlog][query]", "\n# Time: [0-9]+ [0-9][0-9]:[0-9][0-9]:[0-9][0-9](\\.[0-9]+)?$", ""]
45. }
46. }
47. }
48. }
49. output {
50. elasticsearch {
51. hosts => localhost
52. manage_template => false
53. index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
54. }
55. }