taizilongxu
7/2/2012 - 1:53 AM

Logstash config example

Logstash config example

input {
  file {
    type => "syslog"

    # Wildcards work here
    path => [ "/var/log/messages", "/var/log/syslog", "/var/log/*.log" ]
  }

  file {
    type => "apache-access"
    path => "/var/log/apache2/access.log"
  }

  file {
    type => "apache-error"
    path => "/var/log/apache2/error.log"
  }
}

output {
  # Output events to stdout for debugging. Feel free to remove
  # this output if you don't need it.
  stdout { debug => true debug_format => "json"}
  redis { host => "logs.i.att.io" data_type => "list" key => "logstash" }
}
input {
  redis {
    host => "127.0.0.1"
    type => "redis-input"
    # these settings should match the output of the agent
    data_type => "list"
    key => "logstash"
    # We use json_event here since the sender is a logstash agent
    message_format => "json_event"
  }
}


filter {
  grok {
    type => "syslog" # for logs of type "syslog"
    pattern => "%{SYSLOGLINE}"
    # You can specify multiple 'pattern' lines
  }

  date {
    type => "syslog"

    # The 'timestamp' and 'timestamp8601' names are for fields in the
    # logstash event.  The 'SYSLOGLINE' grok pattern above includes a field
    # named 'timestamp' that is set to the normal syslog timestamp if it
    # exists in the event.
    timestamp => "MMM  d HH:mm:ss"   # syslog 'day' value can be space-leading
    timestamp => "MMM dd HH:mm:ss"
    timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format
  }

}
output {
  stdout { debug => true debug_format => "json"}

  elasticsearch {
    host => "127.0.0.1"
  }
}