Larry Smith Jr. mrlesmithjr
mrlesmithjr
/ gist:598f193aeb7b48889fbd
Created
June 12, 2014 16:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/nginx/*access.log" | |
| type => "nginx" | |
| sincedb_path => "/var/log/.sincedb" | |
| } | |
| } | |
| input { | |
| udp { | |
| type => "syslog" |
mrlesmithjr
/ elasticsearch-template.json
Last active
November 6, 2019 16:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "template" : "logstash-*", | |
| "settings" : { | |
| "index.refresh_interval" : "5s" | |
| }, | |
| "mappings" : { | |
| "_default_" : { | |
| "_all" : {"enabled" : true}, | |
| "dynamic_templates" : [ { | |
| "string_fields" : { |
mrlesmithjr
/ Juniper_logstash
Created
June 12, 2014 21:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if "10.0.101.1" in [msgsource_ip] { | |
| mutate { | |
| add_field => [ "devtype", "JUNIPER" ] | |
| add_tag => "JUNIPER" | |
| } | |
| } | |
| if [message] =~ "RT_FLOW_SESSION_CREATE" { | |
| if "JUNIPER" in [tags] { | |
| mutate { | |
| add_tag => "FLOWCREATE" |
mrlesmithjr
/ gist:d350f1a584fba2f564f2
Last active
August 29, 2015 14:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ______________________REPLACE BELOW in /etc/logstash.conf__________________ | |
| filter { | |
| if [type] == "iis" { | |
| if [message] =~ "^#" { | |
| drop {} | |
| } | |
| grok { | |
| break_on_match => false | |
| match => [ | |
| "message", "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} %{WORD:servername} %{TIMESTAMP_ISO8601} %{IP:hostip} %{WORD:method} %{URIPATH:request} (?:%{NOTSPACE:query}|-) %{NUMBER:port} (?:%{NOTSPACE:param}|-) %{IPORHOST:clientip} %{NOTSPACE:agent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:bytes} %{NUMBER:time-taken}", |
mrlesmithjr
/ logstash.conf
Last active
March 23, 2023 02:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/nginx/access.log" | |
| type => "nginx-access" | |
| sincedb_path => "/var/log/.nginxaccesssincedb" | |
| } | |
| } | |
| input { | |
| file { | |
| path => "/var/log/nginx/error.log" |
mrlesmithjr
/ gist:26a72e081aa00c2c2c6c
Created
June 18, 2014 14:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using this nxlog.conf https://gist.github.com/mrlesmithjr/cf212836b9ce162373ed | |
| using this logstash.conf https://gist.github.com/mrlesmithjr/72e99caf36fcc2b5d323 | |
| My IIS logs being sent from nxlog to logstash is merging multiple IIS log entries into one. Thoughts? | |
| { | |
| "_index": "logstash-2014.06.18", | |
| "_type": "iis", |
mrlesmithjr
/ gist:f4ec9add900ebd5f6d39
Last active
August 29, 2015 14:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/nginx/access.log" | |
| type => "nginx-access" | |
| sincedb_path => "/var/log/.nginxaccesssincedb" | |
| } | |
| } | |
| input { | |
| file { | |
| path => "/var/log/nginx/error.log" |
mrlesmithjr
/ gist:e1f279fb3d5462d4ea8d
Created
June 20, 2014 14:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| path => "/var/log/nginx/access.log" | |
| type => "nginx-access" | |
| sincedb_path => "/var/log/.nginxaccesssincedb" | |
| } | |
| } | |
| input { | |
| file { | |
| path => "/var/log/nginx/error.log" |
mrlesmithjr
/ gist:5418614c89ae8c96da0f
Created
June 25, 2014 16:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add src_ip if not already found | |
| filter { | |
| if [type] == "syslog" { | |
| if [src_ip] == "" { | |
| mutate { | |
| add_field => [ "src_ip", "%{syslog_hostname}" ] | |
| } | |
| dns { | |
| resolve => [ "src_ip" ] | |
| action => "replace" |
mrlesmithjr
/ gist:d7452758846a97169a54
Created
July 4, 2014 14:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| /usr/local/bin/curator delete --older-than 90 2>&1 | /bin/nc logstash 28778 | |
| /usr/local/bin/curator close --older-than 30 2>&1 | /bin/nc logstash 28778 | |
| /usr/local/bin/curator bloom --older-than 2 2>&1 | /bin/nc logstash 28778 | |
| /usr/local/bin/curator optimize --older-than 2 2>&1 | /bin/nc logstash 28778 |