As i discussed in IRC, i have a problem with the gelf output plugin not matching severity, and in turn, all severity beeing Alert, except for the case where the field is not present (it is Debug then)
Would leave an "Alert" Severity in graylog, but also leave a field severity with the INFO. Per the documentation, the matching is case-insensitive, so i believe this should work. My config is:
As i discussed in IRC, i have a problem with the gelf output plugin not matching severity, and in turn, all severity beeing Alert, except for the case where the field is not present (it is Debug then)
For example:
{"@source":"file://pub1test/content/CQ_publish/crx-quickstart/logs/stdout.log","@type":"CQLog","@tags":[],"@fields":{"Filename":["stdout.log"],"timestamp":["21.09.2012 14:55:17"],"severity":["INFO"]},"@timestamp":"2012-09-21T12:55:17.000Z","@source_host":"pub1test","@source_path":"/content/CQ_publish/crx-quickstart/logs/stdout.log","@message":"21.09.2012 14:55:17 *INFO * SharedItemStateManager: Validating change-set hierarchy (SharedItemStateManager.java, line 732)"}
Would leave an "Alert" Severity in graylog, but also leave a field severity with the INFO. Per the documentation, the matching is case-insensitive, so i believe this should work. My config is:
input {
file {
type => "AccessLog"
add_field => ["Filename","access.log"]
path => ["/content/CQ_author/crx-quickstart/logs/access.log"]
}
file {
type => "CQLog"
add_field => ["Filename","error.log"]
path => ["/content/CQ_author/crx-quistart/logs/error.log"]
}
file {
type => "CQLog"
add_field => ["Filename","crx/error.log"]
path => ["/content/CQ_author/crx-quickstart/logs/crx/error.log"]
}
file {
type => "CQLog"
add_field => ["Filename","stdout.log"]
path => ["/content/CQ_author/crx-quickstart/logs/stdout.log"]
}
file {
type => "CQLog"
add_field => ["Filename","server.log"]
path => ["/content/CQ_author/crx-quickstart/logs/server.log"]
}
}
filter{
grok {
type => "AccessLog"
#pattern => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} %{HTTPDATE:apatimestamp} "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|) "(?:%{URI:referrer}|)" %{QS:agent}'
pattern => "%{CQAPACHE}"
patterns_dir => "/content/CQ_author/logstash/patterns/"
}
date {
type => "AccessLog"
timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
}
multiline {
type => "CQLog"
pattern => "(java.lang.Exception)|\s"
what => "previous"
}
grok{
type => "CQLog"
pattern => "%{CQTIME:timestamp} *%{LOGLEVEL:severity}"
patterns_dir => "/content/CQ_author/logstash/patterns/"
}
date{
type => "CQLog"
timestamp => "dd.MM.yyyy HH:mm:ss.SSS"
timestamp => "dd.MM.yyyy HH:mm:ss"
}
}
output {
gelf {
host => "10.188.30.136"
facility => "%{Filename}"
level => ["%{severity}","i"]
}
stdout {
debug => true
debug_format => "json"
}
}