I originally the data was not in ElasticSearch but after some help, it looks like the date was parsed incorrectly (it gets the month incorrectly).
Here are the 3 (original) lines coming from the log file:
[MST Nov 10 09:35:07] error : 'htpasswd' checksum test failed for /etc/nginx/.htpasswd
[MST Nov 10 09:35:07] error : 'logstash' process PID changed from 18232 to 18462
[MST Nov 10 09:35:07] info : 'logstash_conf' timestamp was not changed for /etc/logstash/conf.d
And here is the Logstash config file for monit:
input {
file {
path => '/var/log/monit.log'
sincedb_path => "/var/logstash/monit.db"
sincedb_write_interval => 1
type => 'monit'
}
}
filter {
if [type] == 'monit' {
grok {
match => [ 'message', '%{SYSLOG5424SD:timestamp_noyear} %{LOGLEVEL:loglevel}%{SPACE}: %{GREEDYDATA:message}' ]
overwrite => 'message'
}
ruby {
init => "require 'time'"
code => "Time.strptime(event['timestamp_noyear'], '[%Z %b %d %H:%M:%S]') - Time.now > 2500000 ? event['year'] = Time.now.year - 1 : event['year'] = Time.now.year"
}
mutate {
add_field => {
"timestamp" => "%{timestamp_noyear} %{year}"
}
}
date {
match => [ "timestamp", "[zzz MMM DD HH:mm:ss] yyyy", "[zzz MMM D HH:mm:ss] yyyy" ]
locale => "en"
remove_field => [ "timestamp", "timestamp_noyear", "year" ]
}
}
}
Here is the data parsed:
{"message":"'htpasswd' checksum test failed for /etc/nginx/.htpasswd","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"error"}
{"message":"'logstash_conf' timestamp was not changed for /etc/logstash/conf.d","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"info"}
{"message":"'logstash' process PID changed from 18232 to 18462","@version":"1","@timestamp":"2015-01-10T16:35:07.000Z","host":"ubuntu","path":"/var/log/monit.log","type":"monit","loglevel":"error"}
I cannot figure out why the wrong month is picked. Even debugging and redoing the date pattern from scratch, I came up with the exact same one.
System info:
- Ubuntu 14.04.3 64bit LTS
- Logstash 1.5.5
- Official JDK 8 (u66)