input { http { port => "9111" codec => json_lines additional_codecs =

1. input {
2. http {
3. port => "9111"
4. codec => json_lines
5. additional_codecs => { "application/json" => "json_lines" }
6. threads => "1000"
7. ssl => true
8. keystore => "/etc/logstash/logstash-ssl.jks"
9. keystore_password => "changeit"
10.  
11. user => "logstashuser"
12. password => ""
13.  
14. }
15. http {
16. port => "9112"
17. codec => json_lines
18. additional_codecs => { "application/json" => "json_lines" }
19. threads => "1000"
20. type => redacted
21. ssl => true
22. keystore => "/etc/logstash/logstash-ssl.jks"
23. keystore_password => "changeit"
24.  
25. }
26. }
27.  
28. filter {
29. # elasticsearch bulk format alternates 'index' or 'create' lines with records
30. # there could also be 'delete' and 'update', but logqueue doesn't send those
31. # we might want to consider throwing error just in case
32. if [create] or [index] or [delete] or [update] {
33. drop{}
34. }
35.  
36. # Push the time stamp we will use for our S3 filenames (or test file names) into metadata
37. ruby {
38. code => "event.set('[@metadata][TimeInFileName]', event.sprintf('%{+YYYY-MM-dd\'T\'HH-mm}'))"
39. }
40.  
41. if "redacted" in [type] {
42. metrics {
43. meter => [ "_events" ]
44. add_tag => [ "metric", "_events" ]
45. }
46. } else {
47. # Track logstash performance
48. metrics {
49. meter => [ "es_events" ]
50. add_tag => [ "metric", "es_events" ]
51. }
52. if ![LogIndex] {
53. mutate {
54. add_field => { "LogIndex" => "health" }
55. }
56. }
57.  
58. if ![LogType] {
59. mutate {
60. add_field => { "LogType" => "healthcheck" }
61. }
62. }
63.  
64. if [LogIndex] == "security" {
65. metrics {
66. meter => [ "security_events" ]
67. add_tag => [ "metric", "security_events" ]
68. }
69. mutate {
70. add_field => { "Tags" => "filter_processed_time:%{[@metadata]TimeInFileName}" }
71. }
72. }
73. }
74. mutate {
75. remove_field => [ "@timestamp", "@version", host, headers]
76. }
77.  
78. }
79.  
80. output {
81. if "metric" in [tags] {
82. if "es_events" in [tags] {
83. stdout {
84. codec => line {
85. format => "%{[es_events][count]} elastic logs processed. Current rate (1m) : %{[es_events][rate_1m]}"
86. }
87. }
88. }
89. if "security_events" in [tags] {
90. stdout {
91. codec => line {
92. format => "%{[security_events][count]} security logs processed. Current rate (1m) : %{[security_events][rate_1m]}"
93. }
94. }
95. }
96. if "_events" in [tags] {
97. stdout {
98. codec => line {
99. format => "%{[_events][count]} logs processed. Current rate (1m) : %{[_events][rate_1m]}"
100. }
101. }
102. }
103. } else if "redacted" in [type] {
104. # file {
105. # path => "conf\%{[@metadata]TimeInFileName}.log"
106. # }
107. s3 {
108.  
109. bucket => "security-logs"
110. size_file => "2048000"
111. time_file => "5"
112. prefix => "DI/"
113. codec => "json_lines"
114. tags => "redacted"
115. canned_acl => "bucket_owner_full_control"
116. }
117. } else {
118. if [LogIndex] == "security" {
119. # file {
120. # path => "conf\security_%{[@metadata]TimeInFileName}.log"
121. # }
122. s3 {
123.  
124. bucket => "security-logs"
125. size_file => "2048000"
126. time_file => "5"
127. prefix => "DI/"
128. codec => "json_lines"
129. tags => "security"
130. canned_acl => "bucket_owner_full_control"
131. }
132. }
133.  
134. elasticsearch {
135. action => "index"
136. hosts => ["lb.aws..net:9200"]
137. ssl => "true"
138. # can either use truststore and truststore_password or just cacert
139. #truststrore => "${ES_JKS_TRUST_STORE}"
140. #truststrore_password => "${ES_JKS_TRUST_STORE_PASSWORD}"
141. cacert => "/etc/ssl/certs/ca-bundle.crt"
142. index => "%{LogIndex}"
143. document_type => "%{LogType}"
144. manage_template => "false"
145. user => ""
146. password => ""
147. #workers => 4
148. }
149. # stdout { codec => rubydebug{metadata => true}}
150. }
151. }