Taking help from this article, I came up with a logstash.conf file that works both for IIS and apache tomcat at the same time.
input {
file {
path => ["C:/inetpub/logs/LogFiles/W3SVC1/*.log"]
type => ["iislog"]
}
file {
path => ["C:/Program Files/apache-tomcat-7.0.55/logs/*.txt"]
type => ["tomcatTxtLog"]
}
}
filter {
if [type] == "iislog" {
#ignore log comments
if [message] =~ "^#"
{
drop {}
}
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{NOTSPACE:Sip} %{NOTSPACE:verb} %{URIPATH:request} %{NOTSPACE:QueryString} %{NUMBER:port} %{NOTSPACE:Hyphen1} %{NOTSPACE:Cip} %{NOTSPACE:httpversion} %{NOTSPACE:UserAgent} %{NOTSPACE:Hyphen2} %{NOTSPACE:Hyphen3} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:bytes:int} %{NUMBER:timetaken:int}"]
}
date
{
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/GMT"
}
mutate {
remove_field => [ "Hyphen1","Hyphen2","Hyphen3","Sip","Cip","log_timestamp"]
}
}
else if [type] == "tomcatTxtLog" {
#ignore log comments
if [message] =~ "^#"
{
drop {}
}
grok {
match => ["message", "%{COMMONAPACHELOG}"]
}
date
{
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
timezone => "Etc/GMT"
}
mutate {
remove_field => [ "timestamp"]
}
}
}
output{
elasticsearch {
cluster=>"VivekLocalMachine"
port => "9200"
protocol => "http"
}
}
input {
file {
path => ["C:/inetpub/logs/LogFiles/W3SVC1/*.log"]
type => ["iislog"]
}
file {
path => ["C:/Program Files/apache-tomcat-7.0.55/logs/*.txt"]
type => ["tomcatTxtLog"]
}
}
filter {
if [type] == "iislog" {
#ignore log comments
if [message] =~ "^#"
{
drop {}
}
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{NOTSPACE:Sip} %{NOTSPACE:verb} %{URIPATH:request} %{NOTSPACE:QueryString} %{NUMBER:port} %{NOTSPACE:Hyphen1} %{NOTSPACE:Cip} %{NOTSPACE:httpversion} %{NOTSPACE:UserAgent} %{NOTSPACE:Hyphen2} %{NOTSPACE:Hyphen3} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:bytes:int} %{NUMBER:timetaken:int}"]
}
date
{
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/GMT"
}
mutate {
remove_field => [ "Hyphen1","Hyphen2","Hyphen3","Sip","Cip","log_timestamp"]
}
}
else if [type] == "tomcatTxtLog" {
#ignore log comments
if [message] =~ "^#"
{
drop {}
}
grok {
match => ["message", "%{COMMONAPACHELOG}"]
}
date
{
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
timezone => "Etc/GMT"
}
mutate {
remove_field => [ "timestamp"]
}
}
}
output{
elasticsearch {
cluster=>"VivekLocalMachine"
port => "9200"
protocol => "http"
}
}
No comments:
Post a Comment
Comments will appear once they have been approved by the moderator