forked from ThejanRupasinghe/ei-elastic-custom-publisher
-
Notifications
You must be signed in to change notification settings - Fork 0
/
logstash-beat.conf
36 lines (34 loc) · 1.26 KB
/
logstash-beat.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
input {
beats {
type => "beats"
host => "0.0.0.0"
port => 5044
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout {
codec => rubydebug
}
}
filter {
if [message] =~ "CarbonCoreActivator" {
grok {
match => { "message" => "\ATID: \[%{GREEDYDATA:tenant_id}\] \[] \[%{GREEDYDATA:timestamp}\] %{LOGLEVEL:loglevel} \{org\.wso2\.carbon\.core\.internal\.CarbonCoreActivator} - %{GREEDYDATA:key} : %{GREEDYDATA:value} \{org\.wso2\.carbon\.core\.internal\.CarbonCoreActivator}" }
}
} else if [message] =~ "ERROR" {
grok {
match => { "message" => "\ATID: \[%{GREEDYDATA:tenant_id}\] \[] \[%{GREEDYDATA:timestamp}\] %{LOGLEVEL:loglevel} \{%{GREEDYDATA:error_generator}\} - %{GREEDYDATA:error_message} \{%{GREEDYDATA}\}" }
}
} else if [source] =~ "http_access_management_console" {
grok {
match => { "message" => "\A%{IP:client_ip} - - \[%{GREEDYDATA:timestamp}\] \"%{GREEDYDATA:request}\" %{NUMBER:status_code} %{GREEDYDATA} \"%{GREEDYDATA:url}\" \"%{GREEDYDATA:browser_details}\"" }
}
} else if [message] =~ "logged" {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] %{LOGLEVEL:loglevel} - \'%{GREEDYDATA:user} \[%{GREEDYDATA:tenant_id}\]\' %{GREEDYDATA:action} at \[%{TIMESTAMP_ISO8601:actiontime}\]"}
}
}
}