input {
beats {
port => 5044
ssl => true
ssl_key => '/config/certs/logstash.pkcs8.key'
ssl_certificate => '/config/certs/logstash.crt'
}
http {
response_headers => {
"Access-Control-Allow-Origin" => "*"
"Access-Control-Allow-Headers" => "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"
"Access-Control-Allow-Methods" => "*"
"Access-Control-Allow-Credentials" => "*"
}
codec => "json"
port => 8057
type => "Audit"
}
}
filter {
if [type] == "Audit" {
json { source => "message" }
mutate {
rename => {
"severity" => "priority"
"logMessage" => "message"
}
}
mutate { add_field => { "esIndex" => "talendaudit-%{+YYYY.MM.dd}" } }
} else {
grok {
match => { "message" => "%{URIHOST:agentTimestamp} %{HAPROXYTIME:time} %{DATA:priority} %{SYSLOG5424SD:method} %{JAVACLASS:logger_name} %{GREEDYDATA:log_message}" }
}
if [log_message] {
mutate { update => { "message" => "%{log_message}" } }
}
mutate { add_field => { "esIndex" => "logstash-%{+YYYY.MM.dd}" } }
if [app_id] {
mutate { rename => { "app_id" => "application" } }
}
}
mutate {
remove_field => [ "beats_input_codec_plain_applied", "offset", "beat[name]", "app_id", "beat[hostname]", "host", "tags" ]
remove_tag => [ "beats_input_codec_plain_applied" ]
}
}
output {
elasticsearch {
hosts => ["https://node1.local:9200"]
cacert => 'config/certs/ca/ca.crt'
user => 'logstash_writer'
password => 'TalendELK'
index => "%{esIndex}"
}
}