linux007
6/2/2014 - 3:39 PM

php error logging into logstash + elasticsearch and trace errors on single line and root path hidden

php error logging into logstash + elasticsearch and trace errors on single line and root path hidden

php_error_logstash.conf
content_copyfile_download
input {

  file {
    type         => "php-error"
    path         => "/var/www/error_log"
    sincedb_path => "/opt/logstash/sincedb-access"
  }

}

filter {

  mutate {
    gsub         => [
      "message", "/var/www", "",
      "message", "/var/www", "",
      "path",    "/var/www", ""
    ]
  }

  if [type] == "php-error" {
      grok {
        match => [ "message", "\[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:zone}/%{WORD:country}\] PHP %{DATA:level}\:  %{GREEDYDATA:error}" ]
        add_field    => { "timestamp" => "%{day}-%{month}-%{year} %{time} %{zone}/%{country}" }
        add_tag      => [ "%{level}" ]
        remove_field => [ "day", "month", "year", "time", "zone", "country" ]
      }
       multiline {
        pattern => "(Stack trace:)|(^#.+)|(^\"\")|(  thrown+)|(^\s)"
        what    => "previous"
      }
      date {
        timezone     => "America/Mexico_City"
        match        => [ "timestamp" , "yyyy-MM-dd HH:mm:ss", "dd-MMM-yyyy HH:mm:ss ZZZ" ]
        target       => "@timestamp"
        remove_field => "timestamp"
      }
  }

  mutate {
    uppercase => [ "level" ]
    lowercase => [ "tags" ]
    gsub      => [
      "tags",  " ", "_",
      "level", " ", "_"
    ]
  }

}

output {

  stdout {
    codec => rubydebug
  }

 elasticsearch {
   host => "localhost"
 }

}