-
Notifications
You must be signed in to change notification settings - Fork 0
/
ubuntu-log-archive.conf
110 lines (108 loc) · 3.51 KB
/
ubuntu-log-archive.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
input {
file {
path => [ "/var/lib/ubuntu-chatlogs/spool/#*/*" ]
start_position => beginning
mode => "read"
file_completed_action => "delete"
sincedb_path => "/var/lib/ubuntu-chatlogs/_sincedb.chatlogs"
ecs_compatibility => "v8"
file_sort_by => "last_modified"
file_sort_direction => "desc"
codec => plain {
charset => "UTF-8"
ecs_compatibility => "v8"
}
}
}
filter {
grok {
match => {
"[log][file][path]" => "%{GREEDYDATA}/#%{DATA:channel}\.%{YEAR:year}-%{MONTHNUM2:month}-%{MONTHDAY:day}$"
}
add_field => {
server => "Freenode/LiberaChat"
}
remove_field => "[log][file][path]"
}
grok {
match => { "message" => "^\[%{HOUR:hour}:%{MINUTE:minute}\]" }
}
if ![hour] {
mutate { add_field => { hour => "00" } }
}
if ![minute] {
mutate { add_field => { minute => "00" } }
}
mutate {
add_field => { "grokdate" => "%{year}/%{month}/%{day} %{hour}:%{minute} +0000" }
remove_tag => [ "_grokparsefailure" ]
}
date {
match => [ "grokdate",
"YYYY/MM/dd HH:mm Z",
"YYYY/M/d H:m Z",
"YY/MM/DD HH:mm Z",
"YY/M/D H:m Z"
]
timezone => "Etc/UTC"
remove_field => [ "year", "month", "day", "hour", "minute", "grokdate" ]
}
grok {
match => { "message" => [
"(===|\*)%{SPACE}(?<action>Topic) for %{NOTSPACE}: %{GREEDYDATA:text}",
"(===|\*)%{SPACE}(?<action>Topic) \(%{NOTSPACE}\): set by {NOTSPACE:nick}",
"(===|\*)%{SPACE}(?<nick>\S+) sets (?<action>mode) %{GREEDYDATA:mode}",
"(===|\*)%{SPACE}(?<action>mode)/#%{NOTSPACE}%{SPACE}\[%{DATA:mode}\]%{SPACE}by (?<nick>\S+)",
"(===|\*)%{SPACE}(?<nick>\S+) was (?<action>kick)ed off #%{NOTSPACE} by (?<who>\S+)%{SPACE}%{GREEDYDATA:reason}",
"(===|\*)%{SPACE}(?<nick>\S+) changed the (?<action>topic) of #%{NOTSPACE} to %{GREEDYDATA:topic}",
"(===|\*)%{SPACE}(?<nick>\S+) (\[%{DATA:hostmask}\]%{SPACE})?has (?<action>join)ed #%{NOTSPACE}"
] }
remove_tag => [ "_grokparsefailure" ]
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) \S+ \S+ has left" {
grok {
match => { "message" => "^(\[%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<nick>\S+)%{SPACE}(\[%{DATA}\]%{SPACE})?has left %{NOTSPACE}(%{SPACE}\[%{GREEDYDATA:reason}\])?" }
add_field => { action => "part" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) \S+ is now known as" {
grok {
match => { "message" => "^(\[%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<oldnick>\S+) is now known as (?<nick>\S+)" }
add_field => { action => "nick" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?<\S+>" {
grok {
match => { "message" => "^(\[%{HOUR}:%{MINUTE}\] )?\<(?<nick>[^\>]+)\>%{SPACE}%{GREEDYDATA:text}" }
add_field => { action => "message" }
remove_tag => [ "_grokparsefailure" ]
}
}
if ![action] and [message] =~ "^(\[\d\d:\d\d\] )?(===|\*) [^#\(\[]\S+" {
grok {
match => { "message" => "^(\[%{HOUR}:%{MINUTE}\] )?(===|\*)%{SPACE}(?<nick>\S+)%{SPACE}%{GREEDYDATA:text}" }
add_field => { action => "action" }
remove_tag => [ "_grokparsefailure" ]
}
}
mutate {
lowercase => [ "action", "nick", "oldnick", "who" ]
gsub => [ "nick", "\s", "", "oldnick", "\s", "", "who", "\s", "" ]
}
mutate {
remove_field => "[host]"
remove_field => "log"
remove_field => "tags"
remove_field => "message"
}
}
output {
elasticsearch {
hosts => [ "http://elasticsearch-master:9200" ]
index => "logstash-chat-ubuntu"
template => "/usr/share/logstash/config/index-template.json"
template_name => "chatlogs_template"
}
}