Logstash: Grok patterns location

Elastic Stack Logstash
1

As given by example

# contents of ./patterns/postfix:
POSTFIX_QUEUEID [0-9A-F]{10,11}

Raw data

Jan 1 06:25:43 mailserver14 postfix/cleanup[21403]: BEF25A72965: message-id=<20130101142543.5828399CCAF@mailserver14.example.com>

The corresponding Grok filter configuration will be:

filter {
 grok {
 patterns_dir => ["./patterns"]
 match => { "message" => "%{SYSLOGBASE} %{POSTFIX_QUEUEID:queue_id}: %{GREEDYDATA:syslog_message}" }
 }
}

Just to understand few bits

  1. Can the patterns_dir be specified "relative" to the installation directory of logstash? (eg something like $LOGSTASH_HOME/mypatterns/ )
  2. if NOT, can we specify the patterns directory in absolute terms to OS? (eg something like /tmp/logstash/configs/patterns) ?
2

  1. yes you can. you can also define environment variable as specified in https://www.elastic.co/guide/en/logstash/current/environment-variables.html

  2. absolute path always works . just remember that user who runs logstash needs to have sufficient permission to the paths

3

thanks mate.
Just on the "export" of environment variable (couldn't be clear from the document). Where should that export happen? When you start logstash (command line on the shell?) or is there are variable file where we fill up and put as a config file?

4

if you’re using systemd to run logstash, you can add your vars to /etc/default/logstash. if you run logstash from CLI, you can add them to /etc/environment or to your shell’s profile (.bash_profile or equivalent). you can check if vars are lodes by running env command. implementation varies between OS and distribution, so best to check your system’s docs on how to set systemwide variables