cgswong · June 16, 2015 17:50
diff --git a/logstash-http.conf b/logstash-http.conf
 # #####################################################################
 # DESC: Logstash configuration file. Typically forwarding logs to
 #       Elasticsearch instance.
 # #####################################################################

 # Where to get input
 input {
  # Get input from Apache logs
  file {
    type            => "apache-access"
    path            => [ "/var/log/apache/access.log" ]
    start_position  => "beginning"
  }
  # Get input from Nginx logs
  file {
    type => "nginx-access"
    path => [ "/var/log/nginx/access.log" ]
  }
  # Get input from Tomcat logs
  file {
    type => "tomcat"
    path => [ "/var/log/tomcat/catalina.out" ]
    codec => multiline {
      pattern => "(^\d+\serror)|(^.+Exception: .+)|(^\s+at .+)|(^\s+... \d+ more)|(^\s*Caused by:.+)"
      what => "previous"
    }
  }
 }

 # Some Filtering
 filter {
  # Apache Access Log filter
  if [type] == "apache-access" {
    grok { 
      match => { "message" => "%{COMBINEDAPACHELOG}" }
      }
  }
  # Nginx Access Log filter
  if [type] == "nginx-access" {
    grok { 
      match => { "message" => "%{NGINXACESS}" }
    }
  }
  # Tomcat filter
  if [type] == "tomcat" and [message] !~ /(.+)/ {
    drop { }
  }
 }

 # Where to send output
 output {
  # Send output to standard output device/interface
  stdout {
    codec => rubydebug
  }

 # Send output to Elasticsearch over HTTP interface.
  elasticsearch {
    protocol => 'http'
    host     => ES_HOST
    port     => ES_PORT
    cluster  => ES_CLUSTER
  }

 # Send output metrics to statsd for statistics aggregation
  statsd {
    # Count one hit every event by response
    increment => "apache.response.%{response}"
    # Use the 'bytes' field from the apache log as the count value.
    count => [ "apache.bytes", "%{bytes}" ]
  }
  statsd {
    host  => 'graphite.example.org'
    count => [ "tomcat.bytes", "%{bytes}" ]
  }
  statsd {
    host      => 'graphite.example.org'
    increment => "tomcat.response.%{response}"
  }
  statsd {
    host    => 'graphite.example.org'
    timing  => [ "tomcat.indextime", "%{indextime}" ]
  }
 }
	# #####################################################################
	# DESC: Logstash configuration file. Typically forwarding logs to
	# Elasticsearch instance.
	# #####################################################################

	# Where to get input
	input {
	# Get input from Apache logs
	file {
	type => "apache-access"
	path => [ "/var/log/apache/access.log" ]
	start_position => "beginning"
	}
	# Get input from Nginx logs
	file {
	type => "nginx-access"
	path => [ "/var/log/nginx/access.log" ]
	}
	# Get input from Tomcat logs
	file {
	type => "tomcat"
	path => [ "/var/log/tomcat/catalina.out" ]
	codec => multiline {
	pattern => "(^\d+\serror)\|(^.+Exception: .+)\|(^\s+at .+)\|(^\s+... \d+ more)\|(^\s*Caused by:.+)"
	what => "previous"
	}
	}
	}

	# Some Filtering
	filter {
	# Apache Access Log filter
	if [type] == "apache-access" {
	grok {
	match => { "message" => "%{COMBINEDAPACHELOG}" }
	}
	}
	# Nginx Access Log filter
	if [type] == "nginx-access" {
	grok {
	match => { "message" => "%{NGINXACESS}" }
	}
	}
	# Tomcat filter
	if [type] == "tomcat" and [message] !~ /(.+)/ {
	drop { }
	}
	}

	# Where to send output
	output {
	# Send output to standard output device/interface
	stdout {
	codec => rubydebug
	}

	# Send output to Elasticsearch over HTTP interface.
	elasticsearch {
	protocol => 'http'
	host => ES_HOST
	port => ES_PORT
	cluster => ES_CLUSTER
	}

	# Send output metrics to statsd for statistics aggregation
	statsd {
	# Count one hit every event by response
	increment => "apache.response.%{response}"
	# Use the 'bytes' field from the apache log as the count value.
	count => [ "apache.bytes", "%{bytes}" ]
	}
	statsd {
	host => 'graphite.example.org'
	count => [ "tomcat.bytes", "%{bytes}" ]
	}
	statsd {
	host => 'graphite.example.org'
	increment => "tomcat.response.%{response}"
	}
	statsd {
	host => 'graphite.example.org'
	timing => [ "tomcat.indextime", "%{indextime}" ]
	}
	}