Skip to content

Instantly share code, notes, and snippets.

@gerardorochin
Created June 2, 2014 15:39
Show Gist options
  • Save gerardorochin/36d2b1be8b65ca0c7373 to your computer and use it in GitHub Desktop.
Save gerardorochin/36d2b1be8b65ca0c7373 to your computer and use it in GitHub Desktop.
php error logging into logstash + elasticsearch and trace errors on single line and root path hidden
input {
file {
type => "php-error"
path => "/var/www/error_log"
sincedb_path => "/opt/logstash/sincedb-access"
}
}
filter {
mutate {
gsub => [
"message", "/var/www", "",
"message", "/var/www", "",
"path", "/var/www", ""
]
}
if [type] == "php-error" {
grok {
match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:zone}/%{WORD:country}\] PHP %{DATA:level}\: %{GREEDYDATA:error}" ]
add_field => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{zone}/%{country}" }
add_tag => [ "%{level}" ]
remove_field => [ "day", "month", "year", "time", "zone", "country" ]
}
multiline {
pattern => "(Stack trace:)|(^#.+)|(^\"\")|( thrown+)|(^\s)"
what => "previous"
}
date {
timezone => "America/Mexico_City"
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss", "dd-MMM-yyyy HH:mm:ss ZZZ" ]
target => "@timestamp"
remove_field => "timestamp"
}
}
mutate {
uppercase => [ "level" ]
lowercase => [ "tags" ]
gsub => [
"tags", " ", "_",
"level", " ", "_"
]
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
host => "localhost"
}
}
@mathiasaerts
Copy link

Any reason why the "message", "/var/www", "", line is listed twice within mutate?

@gerardorochin
Copy link
Author

For security reasons, hide your path

@kamermans
Copy link

Since Logstash has now deprecated the multiline filter, I've written something similar using the multiline input codec: https://gist.github.com/kamermans/f53aa58bbd14a3fff9541b76064efa1a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment