-
Notifications
You must be signed in to change notification settings - Fork 4
/
all-log-types-logstash.conf
61 lines (56 loc) · 1.4 KB
/
all-log-types-logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
input {
tcp {
id => "tcp_5000"
port => 5000
codec => "json_lines"
}
}
filter {
if [type] == "iis" {
# Convert IIS log time stamp to local time and send to @timestamp field
date {
id => "iis_timestamp"
match => ["gmt_time", "yyyy-MM-dd HH:mm:ss"]
timezone => "Etc/GMT"
}
useragent {
id => "iis_useragent"
source => "http_useragent"
target => "http_agent"
}
geoip {
id => "iis_add_src_ip_geoip"
source => "src_ip"
target => "src_ip_geoip"
fields => ["country_name", "region_name", "city_name", "location", "continent_code"]
}
mutate {
id => "iis_normalize_fields"
lowercase => ["site_name"]
remove_field => ["[http_agent][patch]"]
}
} else if [type] == "perfmon" {
date {
id => "perfmon_timestamp"
match => ["EventTime", "MM/dd/yyyy HH:mm:ss.SSS"]
timezone => "America/Los_Angeles"
locale => "en"
remove_field => ["EventTime"]
}
}
}
output {
if [type] == "iis" {
elasticsearch {
id => "iis"
hosts => ["127.0.0.1:9200"]
index => "log_iis-%{+YYYY.MM}"
}
} else if [type] == "perfmon" {
elasticsearch {
id => "perfmon"
hosts => ["127.0.0.1:9200"]
index => "log_perfmon-%{+YYYY.MM}"
}
}
}