grenade · November 9, 2015 14:17
diff --git a/logstash-nsb.conf b/logstash-nsb.conf
 input {
  file {
    path => [
      "//hostname-uat.example.com/e$/LOGS/**/*.log*",
      "//hostname.example.com/Logs/**/UAT/*.log*"
    ]
    codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601_WITHMILLISECONDS}"
      negate => true
      what => previous
      charset => "ISO-8859-1"
    }
    start_position => beginning
  }
 }

 filter {
  grok {
    match => [ "message", "%{EXCEPTIONCLASS:exception}" ]
    match => [ "message", "^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}\[%{DATA:process}\]%{SPACE}%{WORD:severity}%{SPACE}%{NOTSPACE:source}" ]
    match => [ "path", "//%{HOSTNAME:host}%{DATA}/%{JAVACLASS:application}/%{ENVIRONMENT:environment}/%{WORD:type}.log" ]
    match => [ "path", "//%{HOSTNAME:host}%{DATA}/%{JAVACLASS:application}/%{WORD:type}.log" ]
    overwrite => [ "host" ]
    break_on_match => false
  }
  if ![environment] {
    grok {
      match => [ "host", "%{NOTSPACE}-%{ENVIRONMENT:environment}\.%{NOTSPACE}" ]
    }
  }
  mutate {
    lowercase => [ "environment", "host", "type" ]
  }
  date {
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
    remove_field => [ "timestamp" ]
  }
 }

 output {
  elasticsearch {
    host => "elasticsearch.example.com"
  }
  stdout { codec => rubydebug }
 }
diff --git a/patterns-environments b/patterns-environments
 ENVIRONMENT (UAT|uat|TEST|test|PUBLISH|publish)
diff --git a/patterns-nservicebus b/patterns-nservicebus
 EXCEPTIONCLASS %{JAVACLASS}Exception
 MILLISECONDS (?:[:.,][0-9]{3})
 TIMESTAMP_ISO8601_WITHMILLISECONDS %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{MILLISECONDS}?%{ISO8601_TIMEZONE}?
 NOT_SPACE [^\s]+
	input {
	file {
	path => [
	"//hostname-uat.example.com/e$/LOGS/*/.log*",
	"//hostname.example.com/Logs/*/UAT/.log*"
	]
	codec => multiline {
	pattern => "^%{TIMESTAMP_ISO8601_WITHMILLISECONDS}"
	negate => true
	what => previous
	charset => "ISO-8859-1"
	}
	start_position => beginning
	}
	}

	filter {
	grok {
	match => [ "message", "%{EXCEPTIONCLASS:exception}" ]
	match => [ "message", "^%{TIMESTAMP_ISO8601:timestamp}%{SPACE}\[%{DATA:process}\]%{SPACE}%{WORD:severity}%{SPACE}%{NOTSPACE:source}" ]
	match => [ "path", "//%{HOSTNAME:host}%{DATA}/%{JAVACLASS:application}/%{ENVIRONMENT:environment}/%{WORD:type}.log" ]
	match => [ "path", "//%{HOSTNAME:host}%{DATA}/%{JAVACLASS:application}/%{WORD:type}.log" ]
	overwrite => [ "host" ]
	break_on_match => false
	}
	if ![environment] {
	grok {
	match => [ "host", "%{NOTSPACE}-%{ENVIRONMENT:environment}\.%{NOTSPACE}" ]
	}
	}
	mutate {
	lowercase => [ "environment", "host", "type" ]
	}
	date {
	match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
	remove_field => [ "timestamp" ]
	}
	}

	output {
	elasticsearch {
	host => "elasticsearch.example.com"
	}
	stdout { codec => rubydebug }
	}
	EXCEPTIONCLASS %{JAVACLASS}Exception
	MILLISECONDS (?:[:.,][0-9]{3})
	TIMESTAMP_ISO8601_WITHMILLISECONDS %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{MILLISECONDS}?%{ISO8601_TIMEZONE}?
	NOT_SPACE [^\s]+