forked from spujadas/elk-docker
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindexing.conf
More file actions
36 lines (32 loc) · 698 Bytes
/
indexing.conf
File metadata and controls
36 lines (32 loc) · 698 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
input {
file {
type => "syslog"
path => ["/var/log/auth.log", "/var/log/syslog"]
#start_position => beginning
#sincedb_path => "/dev/null"
}
}
filter {
if [type] == "syslog" {
grok {
match => {
"message" => ["%{SYSLOGPAMSESSION}", "%{CRONLOG}", "%{SYSLOGLINE}"]
}
# After we processed the log we don't need the raw message anymore
overwrite => "message"
}
date {
match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
remove_field => ["timestamp"]
}
date {
match => ["timestamp8601", "ISO8601"]
remove_field => ["timestamp8601"]
}
}
}
output {
stdout {
codec => rubydebug
}
}