Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
82 lines (69 sloc) 2.5 KB
#
# @file
# Sample Logstash configuration file for processing Drupal logs.
#
# You may have to set the timezone name below. Only zone names are
# accepted; i.e. Europe/London, Pacific/Honolulu, etc. Numeric timezones,
# i.e. +0100, -1000 are not accepted. ***
#
# Note:
# @timestamp is the timestamp of the event i.e. the time when Logstash
# received the log entry.
# @host is the hostname of the machine that forwarded the log entry to Logstash.
#
input {
# Logs will be forwarded by rsyslog from web servers running Drupal.
syslog {
port => 5514
type => "syslog"
}
}
filter {
# Ignore "Last message repeated N times" messages.
if [type] == "syslog" and [message] =~ "Last message repeated" {
# This block has been left blank intentionally.
}
# Drupal's log.
else if [type] == "syslog" and [program] == "drupal" {
# Set the value of the "type" field.
mutate {
replace => {
"type" => "drupal"
}
}
# If necessary, adjust @timestamp for timezone. The "syslog" input thinks
# that all timestamps are in UTC.
# date {
# match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
#
# Web server's timezone. Rsyslog's timestamps are relative to this
# timezone.
# timezone => "Europe/London"
# }
# Extract various parts of a Drupal log line.
grok {
match => {
# Sample Syslog message: http://drupal.dev|1429176247|php|192.162.33.33|http://drupal.dev/foo/bar||1||Notice: Trying to get property of non-object in kartik_preprocess_node() (line 111 of /srv/www/drupal/themes/custom/kartik/kartik.theme).
"message" => "%{URI:drupal_base_url}\|%{NUMBER:drupal_log_unixtimestamp}\|%{DATA:drupal_log_type}\|%{IPORHOST:drupal_client_ip}\|%{URI:drupal_request_uri}\|%{URI:drupal_referer_uri}?\|%{NUMBER:drupal_userid}\|%{DATA:drupal_page_link}?\|%{GREEDYDATA:drupal_log_msg}"
}
add_field => {
# Drupal can log something at 12:11:30 and that can reach Logstash at
# 12:11:35. We want to know exactly when Logstash has received a log
# entry and from whom.
"log_received_at" => "%{@timestamp}"
"log_received_from" => "%{host}"
}
}
# Set logstash's event timestamp to Drupal log's timestamp. This way, we
# will be able to filter log entries in Logstash based on their time of
# occurance in Drupal.
date {
match => [ "drupal_log_unixtimestamp", "UNIX" ]
}
}
}
output {
# Store everything in Elasticsearch.
elasticsearch {
}
}