-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathlogstash-elb.conf
41 lines (34 loc) · 1.26 KB
/
logstash-elb.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#
# Parser for AWS ELB log format
#
# Takes timestamp from the logline for historical import. See output stanza for
# choices, default stdout.
#
# Computes ms from seconds intervals
input { stdin { } }
filter {
mutate { replace => { "type" => "elb" } }
grok {
match => {
"message" => [
"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{IP:client_ip}:%{NUMBER:client_port:int} %{IP:backend_ip}:%{NUMBER:backend_port:int} %{NUMBER:request_handling_s:float} %{NUMBER:backend_handling_s:float} %{NUMBER:response_handling_s:float} %{NUMBER:elb_status_code:int} %{NUMBER:backend_status_code:int} %{NUMBER:received_bytes:int} %{NUMBER:sent_bytes:int} %{QS:request}" ,
"%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:loadbalancer} %{DATA:message}"
]
}
}
# computed fields, conversion to milliseconds for consistency with nginx accesslog.
ruby {
# total request/reponse time, named 'request'
code => "event['request_s'] = event['request_handling_s']+event['backend_handling_s']+event['response_handling_s']"
}
ruby {
code => "event['request_ms'] = event['request_s']*1000"
}
date {
match => [ timestamp, "ISO8601" ]
}
}
output {
#elasticsearch { host => localhost }
stdout { codec => rubydebug }
}