filter {
if [type] == "apache" {
grok {
- match => [ "message", "%{COMBINEDAPACHELOG} %{NUMBER:duration:int}us %{WORD:request_id} %{NOTSPACE:ssl_protocol} %{NOTSPACE:ssl_cipher}" ]
+ match => [ "message", "%{COMBINEDAPACHELOG} %{NUMBER:duration:int}us %{NOTSPACE:request_id} %{NOTSPACE:ssl_protocol} %{NOTSPACE:ssl_cipher}" ]
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
+ if [agent] == "-" {
+ mutate {
+ remove_field => [ "agent" ]
+ }
+ } else {
+ useragent {
+ source => "agent"
+ target => "useragent"
+ }
+ grok {
+ match => { "agent" => "%{JOSM:[useragent][name]=JOSM}/%{POSINT:[useragent][major]}\.%{POSINT:[useragent][minor]} \(%{POSINT:[useragent][patch]} \w+\) " }
+ overwrite => [ "[useragent][name]", "[useragent][major]", "[useragent][minor]", "[useragent][patch]" ]
+ tag_on_failure => []
+ }
+ mutate {
+ rename => { "agent" => "[useragent][raw]" }
+ }
+ }
} else if [type] == "rails" {
json {
source => "message"
+ remove_field => [
+ "message",
+ "[parameters][authenticity_token]",
+ "[parameters][pass_crypt]",
+ "[parameters][pass_crypt_confirmation]",
+ "[parameters][utf8]"
+ ]
+ }
+ }
+
+ if [host] =~ /^spike-/ {
+ mutate {
+ add_tag => [ "frontend" ]
+ }
+ } else if [host] =~ /^thorn-/ {
+ mutate {
+ add_tag => [ "backend" ]
}
}
}
output {
elasticsearch {
host => [ "127.0.0.1" ]
+ cluster => "<%= node[:elasticsearch][:cluster][:name] %>"
}
}