wjimenez5271 · April 23, 2015 23:57
diff --git a/gistfile1.txt b/gistfile1.txt
 input {
  lumberjack {
    port => 5043
    # The paths to your ssl cert and key
    ssl_certificate => "mycert"
    ssl_key => "mykey"
  }
 }

 filter {
  if [type] == "apache" {
    grok {
      match => { "message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"}
       }
    date {
      match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
  }
  if [file] == "/somefile" {
   mutate {
      add_tag => [ "--" ]
      }
   #multiline {
   #   patterns_dir => "/opt/logstash-patterns-core/patterns"
   #   pattern => "(^%{TIMESTAMP_ISO8601})"
   #   negate => true
   #   what => "previous"
   #   stream_identity => "%{host}.%{file}.%{type}"
   #}
 }
  if [type] == "tomcat" {
   multiline {
      patterns_dir => "/opt/logstash-patterns-core/patterns"
      pattern => "(^%{TIMESTAMP_ISO8601})"
      negate => true
      what => "previous"
      stream_identity => "%{host}.%{file}.%{type}"
   }
 #       multiline {
 #        pattern => "^\s"
 #        what => "previous"
 #        }
      grok {
        patterns_dir => "/opt/logstash-patterns-core/patterns"
        break_on_match => "false"
        match => ["message", "%{TIMESTAMP_ISO8601:date} %{DATA:level} %{GREEDYDATA:tomcat_message}"]
 #        remove_field => [ "message" ]
        }
      date {
        match => [ "date", "YYYY-MM-dd HH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss.SSS" ]
        }
      mutate {
        remove_field => [ "tomcat_message" ]
 #        rename => [ "tomcat_message", "message" ]
        remove_field => [ "@source" ]
  }
 }
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }


 }

 output {
    #stdout{ codec => rubydebug }
    elasticsearch {
      cluster => "mycluster"
      host => "10.10.10.10"
      port => "9200"
      protocol => "http"
      workers => 4
    }
 }
	input {
	lumberjack {
	port => 5043
	# The paths to your ssl cert and key
	ssl_certificate => "mycert"
	ssl_key => "mykey"
	}
	}

	filter {
	if [type] == "apache" {
	grok {
	match => { "message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?\|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}\|-)"}
	}
	date {
	match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
	}
	if [file] == "/somefile" {
	mutate {
	add_tag => [ "--" ]
	}
	#multiline {
	# patterns_dir => "/opt/logstash-patterns-core/patterns"
	# pattern => "(^%{TIMESTAMP_ISO8601})"
	# negate => true
	# what => "previous"
	# stream_identity => "%{host}.%{file}.%{type}"
	#}
	}
	if [type] == "tomcat" {
	multiline {
	patterns_dir => "/opt/logstash-patterns-core/patterns"
	pattern => "(^%{TIMESTAMP_ISO8601})"
	negate => true
	what => "previous"
	stream_identity => "%{host}.%{file}.%{type}"
	}
	# multiline {
	# pattern => "^\s"
	# what => "previous"
	# }
	grok {
	patterns_dir => "/opt/logstash-patterns-core/patterns"
	break_on_match => "false"
	match => ["message", "%{TIMESTAMP_ISO8601:date} %{DATA:level} %{GREEDYDATA:tomcat_message}"]
	# remove_field => [ "message" ]
	}
	date {
	match => [ "date", "YYYY-MM-dd HH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss.SSS" ]
	}
	mutate {
	remove_field => [ "tomcat_message" ]
	# rename => [ "tomcat_message", "message" ]
	remove_field => [ "@source" ]
	}
	}
	if [type] == "syslog" {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	}
	syslog_pri { }
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	}


	}

	output {
	#stdout{ codec => rubydebug }
	elasticsearch {
	cluster => "mycluster"
	host => "10.10.10.10"
	port => "9200"
	protocol => "http"
	workers => 4
	}
	}
No results found