-
Notifications
You must be signed in to change notification settings - Fork 1
/
logstash-arcgis-pipeline.conf
44 lines (44 loc) · 1.14 KB
/
logstash-arcgis-pipeline.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
input {
beats {
port => "5044"
}
}
filter {
if [fields][type] =~ "portal" or [fields][type] =~ "server" {
xml {
source => "message"
store_xml => "false"
xpath => [ "/Msg/text()", "message_text" ]
xpath => [ "string(/Msg/@type)", "level" ]
xpath => [ "string(/Msg/@time)", "message_time" ]
}
mutate {
replace => { "message" => "%{message_text}" }
replace => { "level" => "%{level[0]}" }
replace => { "message_time" => "%{message_time[0]}" }
}
date {
match => [ "message_time", "yyyy-MM-dd'T'HH:mm:ss,S", "ISO8601" ]
}
} else {
grok {
match => { "message" => ["%{CATALINALOG}", "%{TOMCATLOG}"]}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS Z", "MMM dd, yyyy HH:mm:ss a" ]
}
if ("" in [level]) {
mutate {
add_field => { "level" => "WARNING" }
}
}
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
stdout {
codec => rubydebug
}
}