forked from KrisBuytaert/puppet-logstash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
indexer.conf
68 lines (64 loc) · 1.76 KB
/
indexer.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# mind that we're now using our own up patterns_dir which is managed by puppet
input {
amqp {
# ship logs to the 'rawlogs' fanout queue.
type => "all"
host => "127.0.0.1"
exchange => "rawlogs"
name => "rawlogs_consumer"
}
}
filter {
# grok {
# patterns_dir => [ "/etc/logstash/grok_patterns" ]
# match => [ "wtf" ]
# type => "syslog"
# add_tag => 'wtf'
# add_field => [ "wtf", "%{@message}" ]
# break_on_match => true
# named_captures_only => true
# }
grok {
patterns_dir => [ "/etc/logstash/grok_patterns" ]
type => "syslog"
pattern => "%{SYSLOGLINE}"
break_on_match => true
named_captures_only => true
}
grok {
patterns_dir => [ "/etc/logstash/grok_patterns" ]
type => "apache-access"
pattern => "%{COMBINEDAPACHELOG}"
break_on_match => true
named_captures_only => true
}
date {
type => "syslog"
# The 'timestamp' and 'timestamp8601' names are for fields in the
# logstash event. The 'SYSLOGLINE' grok pattern above includes a field
# named 'timestamp' that is set to the normal syslog timestamp if it
# exists in the event.
timestamp => "MMM d HH:mm:ss" # syslog 'day' value can be space-leading
timestamp => "MMM dd HH:mm:ss"
timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format
}
date {
type => "apache-access"
timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
}
}
output {
stdout { }
# If your elasticsearch server is discoverable with multicast, use this:
#elasticsearch { }
# If you can't discover using multicast, set the address explicitly
elasticsearch {
host => "127.0.0.1"
}
statsd {
host => "graphite01.dev.dc01.uni"
port => 8125
tags => [ 'wtf' ]
increment => [ "up.wtf.%{wtf}" ]
}
}