Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- beats {
- port => 5044
- host => "0.0.0.0"
- ssl => true
- ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
- ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
- }
- }
- filter {
- grok {
- match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
- "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
- remove_field => "message"
- }
- mutate {
- add_field => { "read_timestamp" => "%{@timestamp}" }
- }
- date {
- match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
- remove_field => "[apache2][access][time]"
- }
- useragent {
- source => "[apache2][access][agent]"
- target => "[apache2][access][user_agent]"
- remove_field => "[apache2][access][agent]"
- }
- geoip {
- source => "[apache2][access][remote_ip]"
- target => "[apache2][access][geoip]"
- }
- }
- output {
- elasticsearch {
- hosts => localhost
- manage_template => false
- index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
- document_type => "%{[@metadata][type]}"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement