Skip to content

Instantly share code, notes, and snippets.

@mmaloney

mmaloney/syslog.conf

Created August 3, 2014 04:52
Show Gist options
  • Save mmaloney/90fd5047156108b944b9 to your computer and use it in GitHub Desktop.
Save mmaloney/90fd5047156108b944b9 to your computer and use it in GitHub Desktop.
Download ZIP
logstash configuration
Raw
syslog.conf
input {
######### To test supervisord items
#stdin {
# add_field => { "program" => "supervisord" }
#}
syslog {
port => 5514
type => syslog
}
file {
path => [ "/var/log/nginx/*" ]
sincedb_path => "/var/run/logstash/nginx.sincedb"
type => nginx
}
}
filter {
mutate {
add_field => { "agent" => "%{program}" }
}
if [program] == "supervisord" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "message", "%{SD_PROG:sd_prog} %{GREEDYDATA:sd_msg}" ]
add_tag => [ "supervisord" ]
}
if [sd_prog] == "slurmctld" or [sd_prog] == "slurmd" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "sd_msg", "%{SLURM_MSG}" ]
add_tag => [ "slurm" ]
remove_field => [ "sd_msg" ]
}
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "slurm_msg", "%{SLURM_SHED}" ]
remove_field => [ "slurm_msg" ]
}
if [slurm_shed_func] == "_slurm_rpc_allocate_resources" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "slurm_shed_msg", "%{SLURM_RPC_ALLOC_RES}" ]
add_field => { "metric" => "%{sd_prog}.shed.%{slurm_shed_func}.usec %{slurm_shed_usec}" }
# TODO: How to include information about the jobid here?
# An event?
add_tag => [ "shed", "metric", "done" ]
}
}
if [slurm_shed_func] == "_slurm_rpc_step_complete" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "slurm_shed_msg", "%{SLURM_RPC_STEP_COMPLETE}" ]
add_field => { "metric" => "%{sd_prog}.shed.%{slurm_shed_func}.usec %{slurm_shed_usec}" }
# TODO: How to include information about the STEP here?
# An event? StepId=2.0
add_tag => [ "shed", "metric", "done" ]
}
}
if [slurm_shed_func] == "_slurm_rpc_job_step_create" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "slurm_shed_msg", "%{SLURM_RPC_JOB_STEP_CREATE}" ]
add_field => { "metric" => "%{sd_prog}.shed.%{slurm_shed_func}.usec %{slurm_shed_usec}" }
# TODO: How to include information about the STEP here?
# An event? StepId=2.0
add_field => { "event" => "job%{slurm_jobid} step%{slurm_stepid} created"}
add_tag => [ "shed", "metric", "done", "job%{slurm_jobid}", "step_create", "step%{slurm_stepid}" ]
}
}
if [slurm_shed_func] == "job_complete" {
grok {
patterns_dir => "/etc/grok/patterns/"
match => [ "slurm_shed_msg", "%{SLURM_JOB_COMPLETE}" ]
add_field => { "metric" => "%{sd_prog}.shed.exit_code %{slurm_job_exit_code}" }
add_field => { "event" => "job%{slurm_jobid} EC:%{slurm_job_exit_code}"}
add_tag => [ "shed", "metric", "job%{slurm_jobid}", "job_complete", "slurm_ec%{slurm_job_exit_code}" ]
}
}
}
if "done" not in [tags] and "supervisord" in [tags] {
mutate {
replace => [ "facility", 3 ]
replace => [ "facility_label", "system-daemons" ]
replace => [ "host", "%{logsource}" ]
replace => [ "program", "%{sd_prog}" ]
#remove_field => [ "severity_label", "logsource" ]
}
if "slurmctld_event" in [tags] {
mutate {
replace => [ "message", "%{sd_msg}" ]
remove_field => "sd_msg"
}
if [slurm_level] == "fatal" {
mutate {
replace => [ "severity", 0 ]
}
} else if [slurm_level] == "error" {
mutate {
replace => [ "severity", 3 ]
}
} else if [slurm_level] == "sched" {
mutate {
replace => [ "severity", 7 ]
}
}
}
}
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
#host => "localhost"
protocol => "http"
#cluster => "logstash"
}
}
@pasuva
Copy link

pasuva commented Jul 14, 2022

Hi,
I try to implement the code in my ELK server, but it semms, can´t work without de grok pattern, is possible to share on private? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment