SamSaffron · September 3, 2015 21:26
diff --git a/tf1_logstash.conf b/tf1_logstash.conf
 input {
  lumberjack {
    port => 5150
    type => "logs"
    ssl_certificate => "/etc/logstash/tls/logstash-forwarder.crt"
    ssl_key => "/etc/logstash/tls/logstash-forwarder.key"
  }
 }

 filter {
  grok {
    patterns_dir => "/etc/logstash/patterns"
    match => { "message" => "%{HAPROXYHTTP}" }
  }
  mutate {
    remove_field => ["haproxy_year", "haproxy_time", "haproxy_hour", "haproxy_minute", "haproxy_second", "haproxy_milleseconds", "haproxy_month", "haproxy_monthdate", "haproxy_milliseconds", "haproxy_monthday"]
  }

  date {
    match => ["accept_date", "dd/MMM/YYYY:HH:mm:ss.SSS"]
  }

  mutate {
    remove_field => ["accept_date"]
  }

  ruby {
    code => "event['response_header_x_runtime'] = (event['response_header_x_runtime'] * 1000).to_i if event['response_header_x_runtime']"
  }

  ruby {
    code => "
      require 'ipaddr' unless defined?(IPAddr)
      if event['client_ip']
         ip = IPAddr.new(event['client_ip'])
         event['client_ip_v4'] = ip.to_s if ip.ipv4?
         event['client_ip_v6'] = ip.to_s if ip.ipv6?
      end

      if event['client_ip_v6']
        db = Thread.current['geoip_v6_db'] ||= ::GeoIP.new('/etc/logstash/GeoLiteCityv6.dat')
        geoip = db.city(event['client_ip_v6'])

        if geoip
          clean = {}
          geoip = geoip.to_hash
          if geoip.key?(:latitude) && geoip.key?(:longitude)
            clean['location'] = [geoip[:latitude].to_f, geoip[:longitude].to_f]
          end

          geoip.each do |k,v|
            next if v.nil? || ((String===v) && v.empty?)
            clean[k.to_s] = v
          end

          event['geoip'] = clean
        end
      end
      "
  }

  geoip {
    source => "client_ip_v4"
    target => "geoip"
  }

 }

 output {
  elasticsearch {
    host => localhost
  }
 }
	input {
	lumberjack {
	port => 5150
	type => "logs"
	ssl_certificate => "/etc/logstash/tls/logstash-forwarder.crt"
	ssl_key => "/etc/logstash/tls/logstash-forwarder.key"
	}
	}

	filter {
	grok {
	patterns_dir => "/etc/logstash/patterns"
	match => { "message" => "%{HAPROXYHTTP}" }
	}
	mutate {
	remove_field => ["haproxy_year", "haproxy_time", "haproxy_hour", "haproxy_minute", "haproxy_second", "haproxy_milleseconds", "haproxy_month", "haproxy_monthdate", "haproxy_milliseconds", "haproxy_monthday"]
	}

	date {
	match => ["accept_date", "dd/MMM/YYYY:HH:mm:ss.SSS"]
	}

	mutate {
	remove_field => ["accept_date"]
	}

	ruby {
	code => "event['response_header_x_runtime'] = (event['response_header_x_runtime'] * 1000).to_i if event['response_header_x_runtime']"
	}

	ruby {
	code => "
	require 'ipaddr' unless defined?(IPAddr)
	if event['client_ip']
	ip = IPAddr.new(event['client_ip'])
	event['client_ip_v4'] = ip.to_s if ip.ipv4?
	event['client_ip_v6'] = ip.to_s if ip.ipv6?
	end

	if event['client_ip_v6']
	db = Thread.current['geoip_v6_db'] \|\|= ::GeoIP.new('/etc/logstash/GeoLiteCityv6.dat')
	geoip = db.city(event['client_ip_v6'])

	if geoip
	clean = {}
	geoip = geoip.to_hash
	if geoip.key?(:latitude) && geoip.key?(:longitude)
	clean['location'] = [geoip[:latitude].to_f, geoip[:longitude].to_f]
	end

	geoip.each do \|k,v\|
	next if v.nil? \|\| ((String===v) && v.empty?)
	clean[k.to_s] = v
	end

	event['geoip'] = clean
	end
	end
	"
	}

	geoip {
	source => "client_ip_v4"
	target => "geoip"
	}

	}

	output {
	elasticsearch {
	host => localhost
	}
	}