Skip to content

Instantly share code, notes, and snippets.

@tecsyscom

tecsyscom/logstash.jboss.web.conf

Created May 9, 2017 09:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tecsyscom/f264b511b6e11c9e0b78c60c1c05c829 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tecsyscom/f264b511b6e11c9e0b78c60c1c05c829 to your computer and use it in GitHub Desktop.
Download ZIP
test jboss web logstash config file
Raw
logstash.jboss.web.conf
#input {
# stdin {
# type => "joss_web"
# }
#}
# filebeat need to add -> index: "filebeat_cm_ar"
input {
redis {
data_type => "list"
key => “filebeat_jboss_web"
batch_count => 100
type => "joss_web"
}
}
filter {
if [type] == "joss_web" {
grok {
break_on_match => true
named_captures_only => true
match => {
"message" => [
"%{IPORHOST:c_ip} %{NOTSPACE:remote_logname} %{NOTSPACE:remote_user} \[%{MONTHDAY:day}/%{MONTH:month}/%{YEAR:year}:%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{ISO8601_TIMEZONE:timezone}\] %{WORD:request} %{NOTSPACE:file_path} ?(%{NOTSPACE:http_version}| ) %{WORD:status} %{INT:bytes} %{NOTSPACE:referer} %{GREEDYDATA:user_agent} %{NOTSPACE:data} %{BASE16FLOAT:time_taken}"]
}
}
mutate {
add_field => ["timestamp","%{year}-%{month}-%{day} %{hour}:%{minute}:%{second}"]
}
#Set the Event Timesteamp from the log
date {
match => [ "timestamp", "YYYY-MMM-dd HH:mm:ss"]
#timezone => "Etc/UTC"
timezone => "Asia/Taipei"
#add_field => { "debug" => "timestampMatched"}
}
mutate {
remove_field => [ "year", "month", "day", "hour", "minute", "second", "timezone"]
#add_field => { index_name => "logstash-jboss-web-log-%{+YYYY.MM.dd}" }
}
}
}
output {
if [type] == "joss_web" {
elasticsearch {
template_overwrite => true
hosts => ["localhost:9200"]
index => "logstash-jboss-web-log-%{+YYYY.MM.dd}"
}
#stdout { codec => rubydebug }
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment