skord · January 24, 2017 20:47
diff --git a/logstash.conf b/logstash.conf
 input {
  tcp {
    port => 5000
    type => syslog
  }
  file {
    start_position => "beginning"
    path => "/var/log/maxscale/maxscale.log"
    type => "maxscale"
  }
 }

 filter {
  if [type] == "maxscale" {
    date {
      match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
    }
    grok {
      match => {"message" => '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Added server \'%{WORD:server_name}\' to monitor \'%{WORD:monitor_name}\''}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Removed server '%{WORD:server_name}' from monitor '%{WORD:monitor_name}'"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Added server '%{WORD:server_name}' to service '%{WORD:service_name}'"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Removed server '%{WORD:server_name}' from service '%{WORD:service_name}'"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created server '%{WORD:server_name}' at %{IPORHOST:address}:%{POSINT:port}"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed server '%{WORD:server_name}' at %{IPORHOST:address}:%{POSINT:port}"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Server changed state: %{WORD:server_name}\[%{IPORHOST:address}:%{POSINT:port}\]:%{SPACE}%{DATA}\.%{SPACE}\[%{GREEDYDATA:previous_state}\] -> \[%{GREEDYDATA:state}\]"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created monitor '%{WORD:monitor_name}'"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed monitor '%{WORD:monitor_name}'\. The monitor will be removed after the next restart of MaxScale."}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created listener '%{WORD:listener_name}' at %{IPORHOST:address}:%{POSINT:port} for service '%{WORD:service_name}'"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed listener '%{WORD:listener_name}' for service '%{WORD:service_name}'. The listener will be removed after the next restart of MaxScale."}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}\[%{WORD:listener_name}\] Initializing statement-based read/write split router module."}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE} Loaded module %{WORD:module_name}:%{SPACE}V%{INT:version_major}\.%{INT:version_minor}\.%{INT:version_patch} from %{PATH:module_path}"}
      match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Listening connections at %{IPORHOST:address}:%{POSINT:port} with protocol %{WORD:protocol}"}
    }
  }
 }


 ## Add your filters / logstash plugins configuration here

 output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    user => "elastic"
    password => "changeme"
  }
 }
	input {
	tcp {
	port => 5000
	type => syslog
	}
	file {
	start_position => "beginning"
	path => "/var/log/maxscale/maxscale.log"
	type => "maxscale"
	}
	}

	filter {
	if [type] == "maxscale" {
	date {
	match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
	}
	grok {
	match => {"message" => '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Added server \'%{WORD:server_name}\' to monitor \'%{WORD:monitor_name}\''}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Removed server '%{WORD:server_name}' from monitor '%{WORD:monitor_name}'"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Added server '%{WORD:server_name}' to service '%{WORD:service_name}'"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Removed server '%{WORD:server_name}' from service '%{WORD:service_name}'"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created server '%{WORD:server_name}' at %{IPORHOST:address}:%{POSINT:port}"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed server '%{WORD:server_name}' at %{IPORHOST:address}:%{POSINT:port}"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Server changed state: %{WORD:server_name}\[%{IPORHOST:address}:%{POSINT:port}\]:%{SPACE}%{DATA}\.%{SPACE}\[%{GREEDYDATA:previous_state}\] -> \[%{GREEDYDATA:state}\]"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created monitor '%{WORD:monitor_name}'"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed monitor '%{WORD:monitor_name}'\. The monitor will be removed after the next restart of MaxScale."}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Created listener '%{WORD:listener_name}' at %{IPORHOST:address}:%{POSINT:port} for service '%{WORD:service_name}'"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Destroyed listener '%{WORD:listener_name}' for service '%{WORD:service_name}'. The listener will be removed after the next restart of MaxScale."}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}\[%{WORD:listener_name}\] Initializing statement-based read/write split router module."}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE} Loaded module %{WORD:module_name}:%{SPACE}V%{INT:version_major}\.%{INT:version_minor}\.%{INT:version_patch} from %{PATH:module_path}"}
	match => {"message" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:%{MINUTE}:%{SECOND}%{SPACE}%{LOGLEVEL:severity}%{SPACE}:%{SPACE}Listening connections at %{IPORHOST:address}:%{POSINT:port} with protocol %{WORD:protocol}"}
	}
	}
	}


	## Add your filters / logstash plugins configuration here

	output {
	elasticsearch {
	hosts => "elasticsearch:9200"
	user => "elastic"
	password => "changeme"
	}
	}