input {
beats {
port => 5044
client_inactivity_timeout => 60000
}
}
filter {
if "san" in [tags] or "pr" in [tags]{
if [message] =~ "CarbonCoreActivator" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\] \[] \[%{TIMESTAMP_ISO8601:eventTime}\] %{LOGLEVEL:logLevel} \{%{JAVACLASS}\} - ... }" }
}
mutate{add_tag => [ "CarbonCoreActivator","inessential" ]}
} else if [message] =~ "LogName = income" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(, SOAPAction:%{SPACE}%{DATA:soapAction})?)?, MessageID: (urn:uuid:)?(%{UUID:messageId})?, Direction: %{GREEDYDATA:direction}....( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "income","essential" ]}
mutate {remove_field => ["message"]}
} else if [message] =~ "LogName = out" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(, SOAPAction:%{SPACE}%{DATA:SOAPAction})?)?, MessageID: (urn:uuid:)?(%{UUID:messageId})?, Direction: %...( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "out","essential" ]}
mutate {remove_field => ["message"]}
} else if [message] =~ "LogName = Response" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(, SOAPAction:%{SPACE}%{DATA:SOAPAction})?)?, MessageID: (urn:uuid:)?(%{UUID:messageId})?, Direction: %{GREEDYDATA:direction}, .... ( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "Response","essential" ]}
mutate {remove_field => ["message"]}
} else if [message] =~ "LogName = Respond" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(....( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "Respond","essential" ]}
mutate {remove_field => ["message"]}
} else if [message] =~ "LogName = Fault" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(, SOAPAction:%{SPACE}%{DATA:SOAPAction})?)?, MessageID: (urn:uuid:)?(%{UUID:messageId})?, Direction: %{GREEDYDATA:direction}, ...( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "FaultLog","essential" ]}
mutate {remove_field => ["message"]}
} else if [message] =~ "LogName = ThrottleReject" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\]%{SPACE}\[]%{SPACE}\[%{TIMESTAMP_ISO8601:eventTime}\]%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}\{%{JAVACLASS}\}%{SPACE}-%{SPACE}To: ((%{DATA:toProtocol}:/)?(%{URIPATHPARAM:toURL})?(,%{SPACE}WSAction:%{SPACE}%{DATA:WSAction})?(, SOAPAction:%{SPACE}%{DATA:SOAPAction})?)?, MessageID: (urn:uuid:)?(%{UUID:messageId})?, Direction: %{GREEDYDATA:direction}, ....?( \{%{JAVACLASS}\})?" }
}
mutate{add_tag => [ "ThrottleReject","essential" ]}
mutate {remove_field => ["message"]}
} else if [source] =~ "http_access_management_console" {
grok {
match => { "message" => "\A%{IP:clientIp} - - \[%{GREEDYDATA:eventTime}\] \"%{GREEDYDATA:request}\" %{NUMBER:statusCode} %{GREEDYDATA} \"%{GREEDYDATA:url}\" \"%{GREEDYDATA:browser_details}\"" }
}
mutate{add_tag => [ "http_access_management_console","inessential" ]}
} else if [message] =~ "logged" {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:eventTime}\] %{LOGLEVEL:logLevel} - \'%{GREEDYDATA:UserId} \[%{GREEDYDATA:tenantId}\]\' %{GREEDYDATA:action} at \[%{TIMESTAMP_ISO8601:actionTime}\]"}
}
mutate{add_tag => [ "logged","inessential" ]}
} else if [message] =~ "INFO" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\] \[] \[%{TIMESTAMP_ISO8601:eventTime}\] %{LOGLEVEL:logLevel} \{%{JAVACLASS}\} - %{GREEDYDATA:content} \{%{JAVACLASS}\}" }
}
mutate{add_tag => [ "INFO","inessential" ]}
} else if [message] =~ "WARN" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\] \[] \[%{TIMESTAMP_ISO8601:eventTime}\] %{LOGLEVEL:logLevel} \{%{JAVACLASS}\} - %{GREEDYDATA:content} \{%{JAVACLASS}\}" }
}
mutate{add_tag => [ "WARN","warn_error" ]}
} else if [message] =~ "ERROR" {
grok {
match => { "message" => "\ATID: \[%{NUMBER:tenantId}\] \[] \[%{TIMESTAMP_ISO8601:eventTime}\] %{LOGLEVEL:logLevel} \{%{GREEDYDATA:errorGenerator}\} - %{GREEDYDATA:errorMessage} \{%{GREEDYDATA}\}" }
}
mutate{add_tag => [ "ERROR","warn_error" ]}
}
mutate {
convert => ["x1", "integer"]
convert => ["x2", "integer"]
convert => ["x3", "integer"]
convert => ["x4", "integer"]
}
mutate {
lowercase => [ "x1" ]
lowercase => [ "x2" ]
lowercase => [ "x3" ]
}
if "out" in [xx] or "inc" in [y] {
mutate {
gsub => [
"payload", ........',
"payload", ........',
"payload", ........',
"payload", ........',
"payload", ........',
"payload", ........',
"payload", ........'
]
}
}
date {
match => [ "eventTime" , "YYYY-MM-dd HH:mm:ss,SSS","ISO8601"]
remove_field => [ "timestamp" ]
target => "eventTime"
}
}
}
output {
if "essential" in [tags] and "w" in [tags] and "san" in [tags]{
elasticsearch {
hosts => ["data01.:9200","data02.:9200"]
index => "san-%{+YYYY-MM}"
#template_name => "main"
user => logstashuser
password => "xxxxxxxxxxxxx"
}
}else if "/test/ in [context] and "a2" in [tags] and "pr" in [tags]{
elasticsearch {
hosts => ["data01.:9200","data02.:9200"]
index => "main-%{+YYYY-MM}"
user => logstashuser
password => "xxxxxxxxxxxxx"
}
}else if "essential" in [tags] and "a2" in [tags] and "pr" in [tags]{
elasticsearch {
hosts => ["data01.:9200","data02.:9200"]
index => "main-%{+YYYY-MM-dd}"
#template_name => "main"
user => logstashuser
password => "xxxxxxxxxxxxx"
}
}else if "a2" in [tags] and "pr" in [tags]{
elasticsearch {
hosts => ["data01:9200","data02.:9200"]
index => "general-%{+xxxx}-w%{+ww}"
#template_name => "general-logtemplate"
user => logstashuser
password => "xxxxxxxxxxxxx"
}
}
}
}