Difference between revisions of "Logstash"
From Initech Technical Wiki
| Line 1: | Line 1: | ||
For various reasons, not least of which is timestamp normalisation and/or everything normalisation for that matter i chose to use a standard udp and tcp input method for logstash and skip the in-built syslog one. This meant that i needed to reinvent the wheel somewhat when it came to grok filters however. So here i have documented the grok filters that I built and why. | For various reasons, not least of which is timestamp normalisation and/or everything normalisation for that matter i chose to use a standard udp and tcp input method for logstash and skip the in-built syslog one. This meant that i needed to reinvent the wheel somewhat when it came to grok filters however. So here i have documented the grok filters that I built and why. | ||
| − | Note, because pre formatted text doesn't wrap i've split long lines in logical places. | + | '''Note, because pre formatted text doesn't wrap i've split long lines in logical places.''' |
== input == | == input == | ||
Revision as of 20:59, 18 November 2014
For various reasons, not least of which is timestamp normalisation and/or everything normalisation for that matter i chose to use a standard udp and tcp input method for logstash and skip the in-built syslog one. This meant that i needed to reinvent the wheel somewhat when it came to grok filters however. So here i have documented the grok filters that I built and why.
Note, because pre formatted text doesn't wrap i've split long lines in logical places.
input
input {
udp {
port => 514
type => syslog
}
tcp {
port => 514
type => syslog
}
}
filter
filter {
if [type] == "syslog" {
Delete useless log messages
if [message] =~ /Access Server SDK: No log writers/ or [message] =~ /Warning: Could not obtain lock on \/mnt\/oracle\/ohs/ or [message] =~ /last message repeated [0-9]+ times/ {
drop { }
}