Skip to content

Instantly share code, notes, and snippets.

@toast38coza

toast38coza/filebeat.yml

Created March 16, 2016 06:26
Show Gist options
  • Save toast38coza/446265eb3dd29d1af3a0 to your computer and use it in GitHub Desktop.
Save toast38coza/446265eb3dd29d1af3a0 to your computer and use it in GitHub Desktop.
Download ZIP
Sending filebeats to logstash
Raw
filebeat.yml
# this goes on the server with the logs
filebeat:
prospectors:
-
paths:
- "/var/log/nginx/*"
document_type: nginx-logs
registry_file: "/var/log/beat.log"
output:
logstash:
# replace with appropriate values for your setup:
hosts: ["logstash.service.consul:5044"]
Raw
logstash_nginx_with_beats.conf
input {
stdin { }
beats {
port => 5044
}
}
filter {
# type is set by document_type in filebeats
if [type] == "nginx-logs" {
grok {
match => { "message" => "%{NGINXACCESS}" }
}
geoip {
source => "clientip"
}
}
}
## Add your filters here
output {
elasticsearch {
hosts => "elasticsearch:9200"
index => "%{index}-%{type}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
Raw
nginx_patterns
# put it at: /opt/logstash/patterns/nginx
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment