Hi All,
I have the following conf
{
syslog
{
host => "127.0.0.1"
port => 5000
}
}
filter
{
if [program] == "github_auth" or [program == "github_gitauth"] or [program] == "github_access" {
if [PID] == "" { mutate { update => { "PID" => "N/A" } } }
else { mutate { gsub => [ "PID", "[\[\]]", ""] } }
if [message] =~ /^{/ {
json { source => "message" }
mutate { add_tag => "json" }
}
else if [message] =~ /.*=.*/ {
dissect { mapping => { "message" => "%{D} [%{Date}] %{LogLevel} %{} : %{data}" } }
kv { source => "data" }
mutate { add_tag => "kv" }
}
else {
dissect { mapping => { "message" => "%{D} [%{Date}] %{LogLevel} %{} : %{data}" } }
csv {
source => "data"
separator => " "
}
mutate { add_tag => "csv" }
}
}
else { drop{} }
}
output
{
if [tags] =~ /fail/
{
stdout{}
}
else { exec { command => "echo OK" } }
}
As you can see depending on the log format (key/value or value only) I use respectively kv or csv filters. Those two filters relays on dissect.
And I have a different variation of the dissect for each. Again respectively
dissect { mapping => { "message" => "%{D} [%{Date}] %{LogLevel} %{} : %{data}" } }
AND
dissect { mapping => { "message" => "%{Line} %{host} [%{Date}] %{data}" } }
Mostly this works fine but sometimes I can see messages that are in the format of value only (that must have been caught bycsv) to be caught by the dissect of the kv.
