input { lumberjack { port => 5043 ssl_certificate => "/var/lib/logstash/lumberjack.crt" ssl_key => "/var/lib/logstash/lumberjack.key" } } filter { if [type] == "apache" { grok { match => [ "message", "%{COMBINEDAPACHELOG} %{NUMBER:duration:int}us %{NOTSPACE:request_id} %{NOTSPACE:ssl_protocol} %{NOTSPACE:ssl_cipher}" ] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } if [agent] == "-" { mutate { remove_field => [ "agent" ] } } else { useragent { source => "agent" target => "useragent" } grok { match => { "agent" => "%{JOSM:[useragent][name]=JOSM}/%{POSINT:[useragent][major]}\.%{POSINT:[useragent][minor]} \(%{POSINT:[useragent][patch]} \w+\) " } overwrite => [ "[useragent][name]", "[useragent][major]", "[useragent][minor]", "[useragent][patch]" ] tag_on_failure => [] } mutate { rename => { "agent" => "[useragent][raw]" } } } } else if [type] == "rails" { json { source => "message" remove_field => [ "message", "[parameters][authenticity_token]", "[parameters][pass_crypt]", "[parameters][pass_crypt_confirmation]", "[parameters][utf8]" ] } } if [host] =~ /^spike-/ { mutate { add_tag => [ "frontend" ] } } else if [host] =~ /^thorn-/ { mutate { add_tag => [ "backend" ] } } } output { elasticsearch { host => [ "127.0.0.1" ] cluster => "<%= node[:elasticsearch][:cluster][:name] %>" } }