I am not to sure where the issue is if it is with Logstash or Log-courier. It seems that logstash keeps rereading the same log line and parses it multiple times. To check this i named the common field type %{WORD:field1},%{WORD:field2},%{WORD:field3},. When i tail the log for logstash each one come out thress different times for that same log.
"@version" => "1",
"@timestamp" => "2015-11-02T21:25:34.495Z",
"day" => "Mon",
"timestamp" => "Nov 02 21:25:30",
"year" => "2015",
"global1" => "REX", (This repeats itself three time, same time stamp and log entry)
"resource" => "Service",
"status" => "notice",
"results" => " enable changed 'false' to 'true'"
What version?
What do your configs look like?
logstash=1.5 log-courier=latest
input {
courier {
port => 5001
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "puppet" {
grok {
match => { "message"=>"%{DAY:day}\ %{SYSLOGTIMESTAMP:timestamp}\ %{INT:notused}\ %{YEAR:year}\ /Stage[main]/%{WORD:global1}::%{NOTSPACE:nothing}/%{WORD:resource}[%{DATA:name}]/%{WORD:nothing} (%{LOGLEVEL:status}):%{GREEDYDATA:results}"}
match => { "message"=>"%{DAY:day}\ %{SYSLOGTIMESTAMP:timestamp}\ %{INT:notused}\ %{YEAR:year}\ /Stage[main]/%{WORD:global2}/%{WORD:resource}[%{DATA:name}]/%{NOTSPACE:nothing}\ (%{LOGLEVEL:status}):%{GREEDYDATA:results}"}
match => { "message"=>"%{DAY:day}\ %{SYSLOGTIMESTAMP:timestamp}\ %{INT:notused}\ %{YEAR:year}\ %{DATA:application}]/%{WORD:global3}%{DATA:nothing}[%{DATA:name}] (%{LOGLEVEL:status}):\ %{GREEDYDATA:results}"}
match => { "message"=>"%{DAY:day}\ %{SYSLOGTIMESTAMP:timestamp}\ %{INT:notused}\ %{YEAR:year}\ %{DATA:application}\ (%{LOGLEVEL:status}):\ %{GREEDYDATA:results}"}
}
}
mutate{
remove_field => ["predata", "number","nothing","application"]
remove_field => ["notused","stage","define"]
remove_field => ["md5", "main","words"]
}
}
output {
elasticsearch { host => localhost }
}