logstash.conf

1. input {
2. beats {
3. port => 5044
4. }
5. }
6. filter {
7. if [fields][log_type] == "iis" {
8. grok {
9. match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|\"%{URIPATH:CS-URI-Query}\") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
10. }
11. }
12. if [fields][log_type] == "ivr" {
13. grok {
14. match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{SPACE}%{WORD:Channel_id}%{SPACE}:Answer call from %{NUMBER:Source_number:int} for %{NUMBER:destination_number}"}
15. }
16. }
17. if "_grokparsefailure" in [tags] {
18. drop { }
19. }
20. }
21. output {
22. if [fields][log_type] == "iis" {
23. elasticsearch {
24. hosts => ["localhost:9200"]
25. sniffing => true
26. manage_template => false
27. index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
28. document_type => "%{[@metadata][type]}"
29. }
30. }
31.  
32. if [fields][log_type] == "ivr" {
33. elasticsearch {
34. hosts => ["localhost:9200"]
35. sniffing => true
36. manage_template => false
37. index => "IVR-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
38. document_type => "%{[@metadata][type]}"
39. }
40. }
41. }