-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogstash.conf
63 lines (61 loc) · 2.46 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
input {
udp {
port => 10514
type => syslog
}
}
filter {
# Drop messages containing 0 byte only
if [message] == "\u0000" {
drop { }
}
if [type] == "syslog" {
# Example mail messages:
# <22>Jul 2 00:12:36 mail postfix/postfix-script[137]: starting the Postfix mail system
# <22>Jul 2 00:12:36 mail postfix/master[139]: daemon started -- version 3.0.3, configuration /etc/postfix
# <22>Jul 2 00:12:36 mail dovecot: master: Dovecot v2.2.20 (46a35dcdb936) starting up for imap, pop3 (core dumps disabled)
# <22>Jul 2 00:12:36 mail dovecot: ssl-params: Generating SSL parameters
# Example redmine messages:
# <13>Jun 30 19:50:10 redmine.example.org redmine: Processing by RbServerVariablesController#index as JS
# <13>Jun 30 19:50:10 redmine.example.org redmine: Current user: anonymous
# Example slapd messages:
# <5>Jul 5 21:46:21 ldap slapd: ACCESS conn=9 fd=64 slot=64 connection from 172.18.0.8 to 172.18.0.10
# <5>Jul 5 21:46:21 ldap slapd: ACCESS conn=9 op=0 BIND dn="cn=redmine,ou=Special Users,dc=algorythm,dc=de" method=128 version=3
# <5>Jul 5 21:46:21 ldap slapd: ACCESS conn=9 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=redmine,ou=special users,dc=algorythm,dc=de"
# <5>Jul 5 21:46:21 ldap slapd: ACCESS conn=7 op=-1 fd=64 closed - B1
# Example postgres messages:
# <5>Jul 5 23:35:42 postgres postgres: [1-2] HINT: Future log output will go to log destination "syslog".
# <5>Jul 5 23:35:42 postgres postgres: [3-1] LOG: MultiXact member wraparound protections are now enabled
# <5>Jul 5 23:35:42 postgres postgres: [2-1] LOG: database system is ready to accept connections
grok {
match => { "message" => "%{SYSLOG5424PRI}?%{SYSLOGLINE}" }
overwrite => [ "message" ]
}
syslog_pri { }
date {
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
locale => "en"
}
# TODO: parse ldap operations in message
# TODO: parse postgres log level from message in specialized
# TODO: maybe parse postfix queue ID and from and to email addresses in separate mail log handler
if !("_grokparsefailure" in [tags]) {
mutate {
rename => { "message" => "@message" } # Index message
replace => { "priority" => "%{syslog5424_pri}" }
remove_field => [ "syslog5424_pri" ]
}
}
if !("_dateparsefailure" in [tags]) {
mutate {
remove_field => [ "timestamp", "timestamp8601" ]
}
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch"]
}
stdout { codec => rubydebug }
}