-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Jens Braeuer
committed
Aug 16, 2011
1 parent
f476f97
commit cb5159a
Showing
3 changed files
with
128 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
input { | ||
file { | ||
type => "linux-syslog" | ||
# Wildcards work, here :) | ||
path => [ "/var/log/messages" ] | ||
} | ||
|
||
file { | ||
type => "n4-webservices" | ||
path => [ "/var/log/*/current" ] | ||
} | ||
} | ||
|
||
filter { | ||
grok { | ||
pattern => "%{TIMESTAMP}" | ||
type => "n4-webservices" | ||
patterns_dir => "/etc/logstash/pattern.d/" | ||
} | ||
|
||
date { | ||
type => "n4-webservices" | ||
TIMESTAMP => "yyyy-MM-dd HH:mm:ss,SSS" | ||
} | ||
} | ||
|
||
output { | ||
# Emit events to stdout for easy debugging of what is going through | ||
# logstash. | ||
stdout { } | ||
|
||
# This will use elasticsearch to store your logs. | ||
# The 'embedded' option will cause logstash to run the elasticsearch | ||
# server in the same process, so you don't have to worry about | ||
# how to download, configure, or run elasticsearch! | ||
elasticsearch { embedded => true } | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
USERNAME [a-zA-Z0-9_-]+ | ||
USER %{USERNAME} | ||
INT (?:[+-]?(?:[0-9]+)) | ||
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))) | ||
NUMBER (?:%{BASE10NUM}) | ||
BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+)) | ||
BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b | ||
|
||
POSINT \b(?:[0-9]+)\b | ||
WORD \b\w+\b | ||
NOTSPACE \S+ | ||
DATA .*? | ||
GREEDYDATA .* | ||
QUOTEDSTRING (?:(?<!\\)(?:"(?:\\.|[^\\"])*"|(?:'(?:\\.|[^\\'])*')|(?:`(?:\\.|[^\\`])*`))) | ||
|
||
# Networking | ||
MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC}) | ||
CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}) | ||
WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}) | ||
COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}) | ||
IP (?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9]) | ||
HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b) | ||
HOST %{HOSTNAME} | ||
IPORHOST (?:%{HOSTNAME}|%{IP}) | ||
HOSTPORT (?:%{IPORHOST=~/\./}:%{POSINT}) | ||
|
||
# paths | ||
PATH (?:%{UNIXPATH}|%{WINPATH}) | ||
UNIXPATH (?<![\w\\/])(?:/(?:[\w_%!$@:.,-]+|\\.)*)+ | ||
#UNIXPATH (?<![\w\/])(?:/[^\/\s?*]*)+ | ||
LINUXTTY (?:/dev/pts/%{POSINT}) | ||
BSDTTY (?:/dev/tty[pq][a-z0-9]) | ||
TTY (?:%{BSDTTY}|%{LINUXTTY}) | ||
WINPATH (?:[A-Za-z]+:|\\)(?:\\[^\\?*]*)+ | ||
URIPROTO [A-Za-z]+(\+[A-Za-z+]+)? | ||
URIHOST %{IPORHOST}(?::%{POSINT:port})? | ||
# uripath comes loosely from RFC1738, but mostly from what Firefox | ||
# doesn't turn into %XX | ||
URIPATH (?:/[A-Za-z0-9$.+!*'(),~:#%_-]*)+ | ||
#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)? | ||
URIPARAM \?[A-Za-z0-9$.+!*'(),~#%&/=:;_-]* | ||
URIPATHPARAM %{URIPATH}(?:%{URIPARAM})? | ||
URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})? | ||
|
||
# Months: January, Feb, 3, 03, 12, December | ||
MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b | ||
MONTHNUM (?:0?[1-9]|1[0-2]) | ||
MONTHDAY (?:3[01]|[1-2]?[0-9]|0?[1-9]) | ||
|
||
# Days: Monday, Tue, Thu, etc... | ||
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?) | ||
|
||
# Years? | ||
YEAR [0-9]+ | ||
# Time: HH:MM:SS | ||
#TIME \d{2}:\d{2}(?::\d{2}(?:\.\d+)?)? | ||
# I'm still on the fence about using grok to perform the time match, | ||
# since it's probably slower. | ||
# TIME %{POSINT<24}:%{POSINT<60}(?::%{POSINT<60}(?:\.%{POSINT})?)? | ||
HOUR (?:2[0123]|[01][0-9]) | ||
MINUTE (?:[0-5][0-9]) | ||
# '60' is a leap second in most time standards and thus is valid. | ||
SECOND (?:(?:[0-5][0-9]|60)(?:[.,][0-9]+)?) | ||
TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]) | ||
# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it) | ||
DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR} | ||
DATE_EU %{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY} | ||
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE})) | ||
ISO8601_SECOND (?:%{SECOND}|60) | ||
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? | ||
DATE %{DATE_US}|%{DATE_EU} | ||
DATESTAMP %{DATE}[- ]%{TIME} | ||
TZ (?:[PMCE][SD]T) | ||
DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ} | ||
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR} | ||
|
||
# Syslog Dates: Month Day HH:MM:SS | ||
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} | ||
PROG (?:[\w._/-]+) | ||
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])? | ||
SYSLOGHOST %{IPORHOST} | ||
SYSLOGFACILITY <%{POSINT:facility}.%{POSINT:priority}> | ||
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT:ZONE} | ||
|
||
# Shortcuts | ||
QS %{QUOTEDSTRING} | ||
|
||
# Log formats | ||
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: | ||
COMBINEDAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
TIMESTAMP %{DATE_EU} %{TIME} |