input { beats { port => 5044 ssl => true ssl_certificate => "/var/lib/logstash/beats.crt" ssl_key => "/var/lib/logstash/beats.key" } } filter { if [type] == "apache" { grok { match => [ "message", "%{COMBINEDAPACHELOG} %{NUMBER:duration:int}us %{NOTSPACE:request_id} %{NOTSPACE:ssl_protocol} %{NOTSPACE:ssl_cipher}" ] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } if [agent] == "-" { mutate { remove_field => [ "agent" ] } } else { useragent { source => "agent" target => "useragent" } grok { match => { "agent" => "%{JOSM:[useragent][name]=JOSM}/%{POSINT:[useragent][major]}\.%{POSINT:[useragent][minor]} \(%{POSINT:[useragent][patch]} \w+\) " } overwrite => [ "[useragent][name]", "[useragent][major]", "[useragent][minor]", "[useragent][patch]" ] tag_on_failure => [] } mutate { rename => { "agent" => "[useragent][raw]" } } } } else if [type] == "rails" { json { source => "message" remove_field => [ "message", "[parameters][authenticity_token]", "[parameters][pass_crypt]", "[parameters][pass_crypt_confirmation]", "[parameters][utf8]" ] } if [duration] { ruby { code => "event['duration'] = Integer(event['duration'] * 1000000)" } } if [db] { ruby { code => "event['db'] = Integer(event['db'] * 1000000)" } } if [view] { ruby { code => "event['view'] = Integer(event['view'] * 1000000)" } } } if [host] =~ /^spike-/ { mutate { add_tag => [ "frontend" ] } } else if [host] =~ /^thorn-/ { mutate { add_tag => [ "backend" ] } } } output { elasticsearch { hosts => [ "127.0.0.1" ] } }