Logstash config example
input {
file {
type => "syslog"
# Wildcards work here
path => [ "/var/log/messages", "/var/log/syslog", "/var/log/*.log" ]
}
file {
type => "apache-access"
path => "/var/log/apache2/access.log"
}
file {
type => "apache-error"
path => "/var/log/apache2/error.log"
}
}
output {
# Output events to stdout for debugging. Feel free to remove
# this output if you don't need it.
stdout { debug => true debug_format => "json"}
redis { host => "logs.i.att.io" data_type => "list" key => "logstash" }
}
input {
redis {
host => "127.0.0.1"
type => "redis-input"
# these settings should match the output of the agent
data_type => "list"
key => "logstash"
# We use json_event here since the sender is a logstash agent
message_format => "json_event"
}
}
filter {
grok {
type => "syslog" # for logs of type "syslog"
pattern => "%{SYSLOGLINE}"
# You can specify multiple 'pattern' lines
}
date {
type => "syslog"
# The 'timestamp' and 'timestamp8601' names are for fields in the
# logstash event. The 'SYSLOGLINE' grok pattern above includes a field
# named 'timestamp' that is set to the normal syslog timestamp if it
# exists in the event.
timestamp => "MMM d HH:mm:ss" # syslog 'day' value can be space-leading
timestamp => "MMM dd HH:mm:ss"
timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch {
host => "127.0.0.1"
}
}