/ubulog-logstasher

Permalink
Switch branches/tags
Nothing to show
Find file
ubulog-logstasher/ubuntu-log-archive.conf
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
304 lines (302 sloc) 8.89 KB
input {
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-main.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-a*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-a.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-b*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-b.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-c*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-c.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-d*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-d.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-e*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-e.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-f*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-f.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-g*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-g.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-h*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-h.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-i*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-i.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-j*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-j.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-k*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-k.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-l*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-l.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-m*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-m.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-n*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-n.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-o*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-o.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-p*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-p.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-q*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-q.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-r*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-r.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-s*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-s.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-t*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-t.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-u*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-u.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-v*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-v.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-w*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-w.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-x*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-x.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-y*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-y.sincedb"
codec => plain {
charset => "UTF-8"
}
}
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#ubuntu-z*/*" ]
start_position => beginning
sincedb_path => "/var/lib/ubuntu-chatlogs/sincedb/chatlogs-ubuntu-z.sincedb"
codec => plain {
charset => "UTF-8"
}
}
}
filter {
grok {
match => {
"path" => "%{GREEDYDATA}/#%{DATA:channel}\.%{YEAR:year}-%{MONTHNUM2:month}-%{MONTHDAY:day}$"
}
add_field => {
server => "chat.freenode.org"
}
remove_field => "path"
}
grok {
match => { "message" => "^\[%{HOUR:hour}:%{MINUTE:minute}\]" }
}
if ![hour] {
mutate { add_field => { hour => "00" } }
}
if ![minute] {
mutate { add_field => { minute => "00" } }
}
mutate {
add_field => { "grokdate" => "%{year}/%{month}/%{day} %{hour}:%{minute} +0000" }
remove_tag => [ "_grokparsefailure" ]
}
date {
match => [ "grokdate",
"YYYY/MM/dd HH:mm Z",
"YYYY/M/d H:m Z",
"YY/MM/DD HH:mm Z",
"YY/M/D H:m Z"
]
timezone => "Etc/UTC"
remove_field => [ "year", "month", "day", "hour", "minute", "grokdate" ]
}
grok {
match => { "message" => [
"(===|\*)%{SPACE}(?<action>Topic) for %{NOTSPACE}: %{GREEDYDATA:text}",
"(===|\*)%{SPACE}(?<action>Topic) \(%{NOTSPACE}\): set by {NOTSPACE:nick}",
"(===|\*)%{SPACE}(?<nick>(\S|\] )+) sets (?<action>mode) %{GREEDYDATA:mode}",
"(===|\*)%{SPACE}(?<action>mode)/#%{NOTSPACE}%{SPACE}\[%{DATA:mode}\]%{SPACE}by (?<nick>(\S|\] )+)",
"(===|\*)%{SPACE}(?<nick>(\S|\] )+) was (?<action>kick)ed off #%{NOTSPACE} by (?<who>(\S|\] )+)%{SPACE}%{GREEDYDATA:reason}",
"(===|\*)%{SPACE}(?<nick>(\S|\] )+) changed the (?<action>topic) of #%{NOTSPACE} to %{GREEDYDATA:topic}",
"(===|\*)%{SPACE}(?<nick>(\S|\] )+) (\[%{DATA:hostmask}\]%{SPACE})?has (?<action>join)ed #%{NOTSPACE}"
] }
remove_tag => [ "_grokparsefailure" ]
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) \S+ \S+ has left" {
grok {
match => { "message" => "^(\[\d%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<nick>(\S|\] )+)%{SPACE}(\[%{DATA}\]%{SPACE})?has left %{NOTSPACE}(%{SPACE}\[%{GREEDYDATA:reason}\])?" }
add_field => { action => "part" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) \S+ is now known as" {
grok {
match => { "message" => "^(\[\d%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<oldnick>(\S|\] )+) is now known as (?<nick>(\S|\] )+)" }
add_field => { action => "nick" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?<\S+>" {
grok {
match => { "message" => "^(\[\d%{HOUR}:%{MINUTE}\] )?\<(?<nick>[^\>]+)\>%{SPACE}%{GREEDYDATA:text}" }
add_field => { action => "message" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) [^#\(\[]\S+" {
grok {
match => { "message" => "^(\[\d%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<nick>(\S|\] )+)%{SPACE}%{GREEDYDATA:text}" }
add_field => { action => "action" }
remove_tag => [ "_grokparsefailure" ]
}
}
mutate {
lowercase => [ "action", "nick", "oldnick", "who" ]
gsub => [ "nick", "\s", "", "oldnick", "\s", "", "who", "\s", "" ]
}
}
output {
elasticsearch {
hosts => [ 'http://elasticsearch:9200' ]
index => 'logstash-chat-ubuntu'
}
}