Last active
September 6, 2017 22:28
-
-
Save jimbocoder/d49d2b6651b6de210c48071e0bdd1fe2 to your computer and use it in GitHub Desktop.
logstash plugin to map php error levels to syslog (RFC3164) priority/facility values
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # encoding: utf-8 | |
| require "logstash/filters/base" | |
| require "logstash/namespace" | |
| # Filter plugin for logstash to parse the PHP severity field from a php error log | |
| # message embdeeded in a syslog (RFC3164) message, and adjust the standard syslog | |
| # PRI field accordingly. | |
| # | |
| # This is necessary because PHP by default logs all syslog messages at priority | |
| # "notice", even things like fatal errors! This makes it impossible to do any alerting | |
| # or metrics based on message severity. | |
| # | |
| # This filter is based on the original syslog_pri.rb filter, I think. | |
| # | |
| class LogStash::Filters::Php_severity < LogStash::Filters::Base | |
| config_name "php_severity" | |
| # set the status to experimental/beta/stable | |
| milestone 1 | |
| # Name of field which passes in the extracted PRI part of the syslog message | |
| config :syslog_pri_field_name, :validate => :string, :default => "syslog_pri" | |
| config :php_severity_field_name, :validate => :string, :default => "php_severity" | |
| public | |
| def register | |
| # Nothing | |
| end | |
| public | |
| def filter(event) | |
| return unless filter?(event) | |
| modify_pri(event) | |
| filter_matched(event) | |
| end | |
| private | |
| def modify_pri(event) | |
| if event[@syslog_pri_field_name] | |
| if event[@syslog_pri_field_name].is_a?(Array) | |
| priority = event[@syslog_pri_field_name].first.to_i | |
| else | |
| priority = event[@syslog_pri_field_name].to_i | |
| end | |
| else | |
| priority = 13 # default | |
| end | |
| # Per RFC3164, priority = (facility * 8) + severity | |
| facility = priority / 8 | |
| if /warn/i.match(event[@php_severity_field_name]) | |
| priority = (facility * 8) + 4 | |
| elsif /error/i.match(event[@php_severity_field_name]) | |
| priority = (facility * 8) + 3 | |
| elsif /fatal/i.match(event[@php_severity_field_name]) | |
| priority = (facility * 8) + 2 | |
| elsif /parse/i.match(event[@php_severity_field_name]) | |
| priority = (facility * 8) + 2 | |
| end | |
| event[@syslog_pri_field_name] = priority | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment