Untitled

input {
    beats {
        port => 5044
    }
}
filter {

    # linux journal entry
    if [type] == "journal" {

        mutate {
            update => {
                "type" => "journal-log"
            }
        }

        # docker container log entry
        if [CONTAINER_NAME] {

            mutate {
                update => {
                    "type" => "docker-log"
                }
            }

            # parse a Mule app log
            grok {
                match => [ "MESSAGE", "%{LOGLEVEL:loglevel}\s+%{TIMESTAMP_ISO8601:timestamp}\s+\[\[%{DATA:app}\]\.%{DATA:thread}\]\s+%{DATA:category}:\s+%{GREEDYDATA:msgbody}" ]
                remove_tag => ["_grokparsefailure"]
            }
            if "_grokparsefailure" in [tags] {
                grok {
                    match => [ "MESSAGE", "%{TIMESTAMP_ISO8601:timestamp}\s+\[\[%{DATA:app}\]%{DATA:thread}\]\s+%{LOGLEVEL:loglevel}\s+%{JAVACLASS:category}\s+-\s+%{GREEDYDATA:msgbody}" ]
                    remove_tag => ["_grokparsefailure"]
                }
            }
            if "_grokparsefailure" not in [tags] {
                 mutate {
                    update => {
                        "type" => "mule-app-log"
                    }
                    rename => {
                        "MESSAGE" => "message"
                    }
                }
                kv {
                    source => "msgbody"
                    allow_duplicate_values => false
                }
                date {
                    match => ["timestamp","yyyy-MM-dd HH:mm:ss,SSS"]
                    remove_field => ["timestamp"]
                }
            }
        }
    }
}

output {
    elasticsearch {
        hosts => ["<<host>>"]
        manage_template => false
        index => "beats-%{+YYYY.MM.dd}"
    }

    # debug output
    stdout {
        codec => rubydebug
    }
}