117 lines
3.0 KiB
Plaintext
117 lines
3.0 KiB
Plaintext
input {
|
|
|
|
# Region 1
|
|
rabbitmq {
|
|
codec => "msgpack"
|
|
debug => true
|
|
host => "region1.cybera.ca"
|
|
exchange => "region1-logs"
|
|
user => "logstash"
|
|
password => "password"
|
|
ssl => true
|
|
port => "5672"
|
|
vhost => "rsyslog"
|
|
auto_delete => false
|
|
durable => true
|
|
key => 'logstash'
|
|
exclusive => false
|
|
passive => true
|
|
queue => 'logstash'
|
|
}
|
|
|
|
# Region 2
|
|
rabbitmq {
|
|
codec => "msgpack"
|
|
debug => true
|
|
host => "region2.cybera.ca"
|
|
exchange => "region1-logs"
|
|
user => "logstash"
|
|
password => "password"
|
|
ssl => true
|
|
port => "5672"
|
|
vhost => "rsyslog"
|
|
auto_delete => false
|
|
durable => true
|
|
key => 'logstash'
|
|
exclusive => false
|
|
passive => true
|
|
queue => 'logstash'
|
|
}
|
|
|
|
}
|
|
|
|
|
|
filter {
|
|
if "oslofmt" in [tags] {
|
|
grok {
|
|
match => { "message" => "^%{TIMESTAMP_ISO8601:logdate} %{SYSLOGHOST:syslog_hostname} %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{NUMBER:syslog_pid} (?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:module} (?<ref_id_group>\[%{NOTSPACE:ref_id}?%{DATA:ref_id2}\]) %{GREEDYDATA:logmessage}" }
|
|
add_field => { "received_at" => "%{@timestamp}" }
|
|
}
|
|
if !("_grokparsefailure" in [tags]) {
|
|
mutate {
|
|
replace => [ "@source_host", "%{syslog_hostname}" ]
|
|
gsub => [ "message", "#012", "\
|
|
"]
|
|
}
|
|
}
|
|
# Make sure we set @timestamp to the log date
|
|
date {
|
|
match => [ "logdate", "ISO8601" ]
|
|
locale => "en"
|
|
target => "@timestamp"
|
|
}
|
|
} else if "syslogfmt" in [tags] {
|
|
grok {
|
|
match => { "message" => "^%{TIMESTAMP_ISO8601:logdate} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:logmessage}" }
|
|
add_field => [ "received_at", "%{@timestamp}" ]
|
|
}
|
|
date {
|
|
match => [ "logdate", "ISO8601" ]
|
|
locale => "en"
|
|
target => "@timestamp"
|
|
}
|
|
syslog_pri {
|
|
severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ]
|
|
}
|
|
if !("_grokparsefailure" in [tags]) {
|
|
mutate {
|
|
replace => [ "@source_host", "%{syslog_hostname}" ]
|
|
}
|
|
}
|
|
mutate {
|
|
add_field => [ "loglevel", "%{syslog_severity}" ]
|
|
add_field => [ "module", "%{syslog_program}" ]
|
|
}
|
|
} else if "swiftfmt" in [tags] {
|
|
grok {
|
|
match => { "message" => "^%{TIMESTAMP_ISO8601:logdate} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:logmessage}" }
|
|
add_field => [ "received_at", "%{@timestamp}" ]
|
|
}
|
|
syslog_pri {
|
|
severity_labels => ["ERROR", "ERROR", "ERROR", "ERROR", "WARNING", "INFO", "INFO", "DEBUG" ]
|
|
}
|
|
if !("_grokparsefailure" in [tags]) {
|
|
mutate {
|
|
replace => [ "@source_host", "%{syslog_hostname}" ]
|
|
}
|
|
}
|
|
mutate {
|
|
add_field => [ "loglevel", "%{syslog_severity}" ]
|
|
add_field => [ "module", "%{syslog_program}" ]
|
|
}
|
|
date {
|
|
match => [ "logdate", "ISO8601" ]
|
|
locale => "en"
|
|
target => "@timestamp"
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
output {
|
|
elasticsearch_http {
|
|
host => "127.0.0.1"
|
|
}
|
|
}
|
|
|