pipelines.yml
- pipeline.id: pcf
path.config: "/etc/logstash/conf.d/syslog.conf"
- pipeline.id: vm
path.config: "/etc/logstash/conf.d/vmlog.conf"
vmlog.conf
input {
beats {
port => 5044
type => 3dlog
}
}
filter {}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+yyyy.MM.dd}"
}
}
syslog.conf
input {
tcp {
port => 5041
type => syslog
}
udp {
port => 5041
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => {
"message" => [
"%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:timestamp}|-) +(?:%{HOSTNAME:host_app}|-) +(?:%{NOTSPACE:syslog5424_app}|-) +(?:%{NOTSPACE:syslog5424_proc}|-) - \[(?:%{GREEDYDATA:syslog_tags})\"\] +%{TIMESTAMP_ISO8601:time} +%{LOGLEVEL:logLevel} +%{INT:logLevelNo} +%{GREEDYDATA:scheduling}] +%{GREEDYDATA:logMessage}",
"(?:%{HOSTNAME:host_app}|-) +(?:%{NOTSPACE:syslog5424_app}|-) +(?:%{NOTSPACE:syslog5424_proc}|-) +(?:%{NOTSPACE}|) \[(?:%{GREEDYDATA:syslog_tags})\"\] +(?:%{HOSTNAME:app_host}) +(?:%{NOTSPACE}|) +(?:%{GREEDYDATA:logMessage})",
"%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:logMessage}"
]
}
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
kv {
source => "syslog_tags"
field_split => " "
value_split => "="
remove_char_key => "<>\[\],"
remove_char_value => "<>\[\],"
trim_key => "<>\[\],"
trim_value => "<>\[\],"
include_brackets => false
}
if !("_grokparsefailure" in [tags]) {
mutate {
rename => [ "source_host", "syslog_hostname" ]
rename =>[ "message", "syslog_message" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_tags", "syslog_timestamp" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "app-logs-%{+yyyy.MM.dd}"
}
}