Created
May 10, 2017 15:54
-
-
Save saliceti/1f290c5ac98633e364ab56c549ab7b76 to your computer and use it in GitHub Desktop.
Minimal logsearch logstash config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The # character at the beginning of a line indicates a comment. Use | |
| # comments to describe your configuration. | |
| input { | |
| file { | |
| path => "/Users/colin/Documents/Boulot/gds/logstash/nginx_access.log" | |
| start_position => "beginning" | |
| } | |
| } | |
| filter { | |
| # Initialize @input, @shipper and @source | |
| mutate { | |
| add_field => { "@input" => "syslog" } | |
| replace => { "[@shipper][priority]" => "14" } | |
| replace => { "[@shipper][name]" => "vcap.auctioneer_syslog" } | |
| add_field => { "[@source][component]" => "vcap.auctioneer" } | |
| add_field => { "[@source][type]" => "syslog" } | |
| } | |
| if [@source][component] != "vcap.uaa" and [@source][component] =~ /vcap\..*/ { | |
| ruby { | |
| code => "event['[@source][component]'] = event['[@source][component]'][5..-1]" # minus "vcap." prefix | |
| } | |
| mutate { | |
| replace => { "@type" => "vcap" } | |
| add_tag => "vcap" | |
| } | |
| # Parse Cloud Foundry logs | |
| if [@message] =~ /^\s*{".*}\s*$/ { # looks like JSON | |
| # parse JSON message | |
| json { | |
| source => "@message" | |
| target => "parsed_json_field" | |
| remove_field => [ "@message" ] | |
| add_field => { "parsed_json_field_name" => "%{[@source][component]}"} | |
| } | |
| if "_jsonparsefailure" in [tags] { | |
| # Amend the failure tag to match our fail/${addon}/${filter}/${detail} standard | |
| mutate { | |
| add_tag => ["fail/cloudfoundry/platform-vcap/json"] | |
| remove_tag => ["_jsonparsefailure"] | |
| } | |
| mutate { | |
| add_field => { "json_parsing" => "has failed" } | |
| } | |
| } else { | |
| mutate { | |
| rename => { "[parsed_json_field][message]" => "@message" } # @message | |
| } | |
| # mutate { | |
| # } | |
| # @level | |
| translate { | |
| field => "[parsed_json_field][log_level]" | |
| dictionary => [ "0", "DEBUG", "1", "INFO", "2", "ERROR", "3", "FATAL" ] | |
| destination => "@level" | |
| override => true | |
| fallback => "%{[parsed_json_field][log_level]}" | |
| remove_field => "[parsed_json_field][log_level]" | |
| } | |
| } | |
| } else { | |
| mutate { | |
| add_field => { "doesnt look like" => "json" } | |
| } | |
| } | |
| } | |
| } | |
| output { | |
| stdout { codec => rubydebug } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment