Logstash: Grok patterns location

kelk · May 6, 2020, 8:50am

As given by example

# contents of ./patterns/postfix:
POSTFIX_QUEUEID [0-9A-F]{10,11}

Raw data

Jan 1 06:25:43 mailserver14 postfix/cleanup[21403]: BEF25A72965: message-id=<20130101142543.5828399CCAF@mailserver14.example.com>

The corresponding Grok filter configuration will be:

filter {
 grok {
 patterns_dir => ["./patterns"]
 match => { "message" => "%{SYSLOGBASE} %{POSTFIX_QUEUEID:queue_id}: %{GREEDYDATA:syslog_message}" }
 }
}

Just to understand few bits

Can the patterns_dir be specified "relative" to the installation directory of logstash? (eg something like $LOGSTASH_HOME/mypatterns/ )
if NOT, can we specify the patterns directory in absolute terms to OS? (eg something like /tmp/logstash/configs/patterns) ?

ptamba · May 6, 2020, 10:49am

yes you can. you can also define environment variable as specified in https://www.elastic.co/guide/en/logstash/current/environment-variables.html
absolute path always works . just remember that user who runs logstash needs to have sufficient permission to the paths

kelk · May 6, 2020, 11:05am

thanks mate.
Just on the "export" of environment variable (couldn't be clear from the document). Where should that export happen? When you start logstash (command line on the shell?) or is there are variable file where we fill up and put as a config file?

ptamba · May 6, 2020, 11:36am

if you’re using systemd to run logstash, you can add your vars to /etc/default/logstash. if you run logstash from CLI, you can add them to /etc/environment or to your shell’s profile (.bash_profile or equivalent). you can check if vars are lodes by running env command. implementation varies between OS and distribution, so best to check your system’s docs on how to set systemwide variables

system · June 3, 2020, 11:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.