Skip to content

Instantly share code, notes, and snippets.

@wizardfrag

wizardfrag/minecraft-logstash.conf

Last active June 3, 2024 15:54
Show Gist options
  • Save wizardfrag/e10255a2420fc639c4698f32cf10d856 to your computer and use it in GitHub Desktop.
Save wizardfrag/e10255a2420fc639c4698f32cf10d856 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
minecraft-logstash.conf
input {
file {
path => [ "/data/minecraft/*/logs/latest.log" ]
tags => ["minecraft"]
}
}
filter {
if "minecraft" in [tags] {
grok {
match => [ "message", "\A\[%{TIME:timestamp}] \[(?<originator>[^\/]+)?/%{LOGLEVEL:level}]: %{GREEDYDATA:message}\Z" ]
overwrite => [ "message" ]
break_on_match => false
}
grok {
match => [ "message", "\AUUID of player %{USERNAME} is %{UUID}\Z" ]
add_tag => [ "player", "uuid" ]
}
grok {
match => [ "message", "\A(?<player>[a-zA-Z0-9_]+)\[/%{IPV4:ip_address}:%{POSINT}\] logged in with entity id %{POSINT:entity_id} at \(\[(?<world>[a-zA-Z]+)\](?<pos>[^\)]+)\)\Z" ]
add_tag => [ "player", "join" ]
}
grok {
match => [ "message", "^(?<player>[a-zA-Z0-9_]+) has just earned the achievement \[(?<achievement>[^\[]+)\]$" ]
add_tag => [ "player", "achievement" ]
}
grok {
match => [ "message", "^(?<player>[a-zA-Z0-9_]+) left the game$" ]
add_tag => [ "player", "part" ]
}
grok {
match => [ "message", "^<(?<player>[a-zA-Z0-9_]+)> .*$" ]
add_tag => [ "player", "chat" ]
}
}
}
@BloodBlight
Copy link

For tagging denied users:

grok {
  match => [ "message",  "\A%{UUID:playeruuid},name=(?<player>[a-zA-Z0-9_]+),[={}\[\],\.@a-zA-Z0-9_ (/]+%{IPV4:playerip}[):a-zA-Z0-9 ]+ not whitelisted" ]
  add_tag => [ "player", "denied" ]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment