Hey all,
I am setting up centralized logging for a network with 30 - 40 nodes running a bunch of different services. I have divided things up into namespaces to make logging easier and better for visualizing down the road. One item I was having problems with was using custom regex patterns in the grok filter, along with the standard patterns that logstash provides. So I finally found where separating the block below from the standard pattern matching, worked. Which brings up the question if when using the patterns_dir directive, if it overwrites the standard patterns and they need to be separated? If that is the case, it would be REALLY helpful to mention it in the documentation, because I would prefer to keep filters for certain streams to one block vs two, or more to be honest.
filter { grok { patterns_dir => ["/etc/logstash/conf.d/patterns"] match => {"message"=> "%{LOG_LEVEL:logLevel}"} } }