SHOW:
|
|
- or go back to the newest paste.
| 1 | # Where to get input | |
| 2 | input {
| |
| 3 | # syslog inputs | |
| 4 | tcp {
| |
| 5 | port => 5000 | |
| 6 | type => "syslog" | |
| 7 | } | |
| 8 | udp {
| |
| 9 | port => 5000 | |
| 10 | type => "syslog" | |
| 11 | } | |
| 12 | ||
| 13 | - | # CoreOS journal input |
| 13 | + | # NAGIOS input |
| 14 | tcp {
| |
| 15 | port => 5044 | |
| 16 | - | port => 5004 |
| 16 | + | tags => ["nagios"] |
| 17 | - | tags => ["coreos","docker"] |
| 17 | + | type => "nagios" |
| 18 | - | type => "systemd" |
| 18 | + | |
| 19 | ||
| 20 | # Logspout input | |
| 21 | tcp {
| |
| 22 | codec => "json_lines" | |
| 23 | port => 5006 | |
| 24 | tags => ["docker"] | |
| 25 | type => "logspout" | |
| 26 | } | |
| 27 | ||
| 28 | # Log4j application input | |
| 29 | log4j {
| |
| 30 | codec => "json_lines" | |
| 31 | port => 4560 | |
| 32 | tags => ["applogs"] | |
| 33 | type => "log4j" | |
| 34 | } | |
| 35 | } | |
| 36 | ||
| 37 | # Some Filtering | |
| 38 | filter {
| |
| 39 | # syslog filter | |
| 40 | if [type] == "syslog" {
| |
| 41 | grok {
| |
| 42 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
| |
| 43 | add_field => [ "received_at", "%{@timestamp}" ]
| |
| 44 | add_field => [ "received_from", "%{host}" ]
| |
| 45 | } | |
| 46 | syslog_pri { }
| |
| 47 | date {
| |
| 48 | match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] | |
| 49 | } | |
| 50 | ||
| 51 | if !("_grokparsefailure" in [tags]) {
| |
| 52 | mutate {
| |
| 53 | replace => [ "message", "%{syslog_message}" ]
| |
| 54 | } | |
| 55 | ||
| 56 | mutate {
| |
| 57 | remove_field => [ "syslog_message" ] | |
| 58 | } | |
| 59 | } | |
| 60 | ||
| 61 | # Remove spurious fields that have names changed or been aggregated | |
| 62 | mutate {
| |
| 63 | remove_field => [ "syslog_hostname", "syslog_timestamp" ] | |
| 64 | } | |
| 65 | } | |
| 66 | ||
| 67 | # systemd/journal filter (CoreOS) | |
| 68 | if [type] == "systemd" {
| |
| 69 | mutate { rename => [ "MESSAGE", "message" ] }
| |
| 70 | mutate { rename => [ "_SYSTEMD_UNIT", "program" ] }
| |
| 71 | } | |
| 72 | ||
| 73 | #Nagios filter | |
| 74 | if [type] == "nagios" {
| |
| 75 | grok {
| |
| 76 | match => { "message" => "%{NAGIOSLOGLINE}" }
| |
| 77 | } | |
| 78 | } | |
| 79 | ||
| 80 | # Docker filter | |
| 81 | if [tags] == "docker" {
| |
| 82 | json {
| |
| 83 | source => "message" | |
| 84 | } | |
| 85 | mutate {
| |
| 86 | rename => [ "log", "message" ] | |
| 87 | } | |
| 88 | date {
| |
| 89 | match => [ "time", "ISO8601" ] | |
| 90 | } | |
| 91 | } | |
| 92 | } | |
| 93 | ||
| 94 | # Where to send output | |
| 95 | output {
| |
| 96 | # Send output to standard output device/interface | |
| 97 | stdout {
| |
| 98 | codec => rubydebug | |
| 99 | } | |
| 100 | ||
| 101 | # Parse failed messages to separate index | |
| 102 | if "_grokparsefailure" in [tags] {
| |
| 103 | elasticsearch {
| |
| 104 | # host => ["localhost:9200"] | |
| 105 | host => ["ES_CONN_STR"] | |
| 106 | index => "cgidev-parse-err-%{+YYYY.MM.dd}"
| |
| 107 | protocol => "http" | |
| 108 | user => logstash | |
| 109 | password => logstash | |
| 110 | } | |
| 111 | } | |
| 112 | ||
| 113 | # Elasticsearch output | |
| 114 | elasticsearch {
| |
| 115 | # host => ["localhost:9200"] | |
| 116 | host => ["ES_CONN_STR"] | |
| 117 | index => "cgidev-logstash-%{+YYYY.MM.dd}"
| |
| 118 | protocol => "http" | |
| 119 | user => logstash | |
| 120 | password => logstash | |
| 121 | } | |
| 122 | } |
