-
Notifications
You must be signed in to change notification settings - Fork 76
/
Copy pathlogstash.conf
55 lines (55 loc) · 1.83 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
input {
syslog {
port => 29124
}
}
filter {
grok {
pattern_definitions => {
"TIMESTAMP_NGX" => "%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})"
}
match => {
"message" =>
"%{TIMESTAMP_NGX} \[%{LOGLEVEL}] %{NUMBER}\#%{NUMBER}: pid:%{NUMBER:pid:int}\|from:(?<from>\d{10})\|to:(?<to>\d{10})\|accounting_id:(?<accounting_id>[^|]+)\|%{WORD:entry_type}:%{NUMBER:nr_entries:int}\|bytes_in:%{NUMBER:in_bytes:int}\|bytes_out:%{NUMBER:out_bytes:int}\|latency_ms:%{NUMBER:latency_ms:int}\|upstream_latency_ms:%{NUMBER:upstream_latency_ms:int}\|%{GREEDYDATA:statuses}"
}
remove_field => [ "host", "severity", "facility", "priority", "severity_label", "facility_label" ]
remove_tag => []
}
# date {
# match => [ "timestamp" , "yyyy/MM/dd HH:mm:ss" ]
# target => '@timestamp'
# # timezone => 'Asia/Shanghai'
# remove_field => [ "timestamp" ]
# }
date {
match => [ "from" , "UNIX" ]
target => '@from'
remove_field => [ "from" ]
}
date {
match => [ "to" , "UNIX" ]
target => '@to'
remove_field => [ "to" ]
}
kv {
source => "statuses"
target => "statuses_kv"
field_split => "|"
value_split => ":"
remove_field => [ "statuses" ]
}
ruby {
code => "s={};agg={};agg.default=0;(event.get('statuses_kv')||{}).each{|k,v|agg['%dxx'%k[0]]+=v.to_i;s[k]=v.to_i};event.set('@agg_status',agg);event.set('@nr_status',s)"
remove_field => [ "statuses_kv" ]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["http://elasticsearch:9200"]
manage_template => true
template_overwrite => true
template => "/etc/logstash/es_template_accounting.json"
index => "ngx_accounting-%{+xxxx.ww}"
}
}