#=============================================================================== filter { #--------------------------------------------------------------------------- # Parse & tag routes logs (as used by keystone & nova) if "routes-generic" in [tags] { #----------------------------------------------------------------------- # routes GET requests i.e.: # 1) keystone.log: Matched GET /tenants __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 # 2) keystone.log: Matched GET /users __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 # 3) keystone.log: Matched GET /tenants/47942f2dc60d4b88804b8573c0e78d7e/users __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 # 4) keystone.log: Matched GET /tenants/47942f2dc60d4b88804b8573c0e78d7e/users/29f569a2066745659b4fb080ff3b5a67/roles # __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 # 5) keystone.log: Matched GET /users/965fbe7ab90d4b1b912f85d4eb34d1cd/credentials/OS-EC2 __call__ # # /usr/lib/python2.7/dist-packages/routes/middleware.py:100 grok { match => [ "@message", "GET /%{DATA:api_func}(/%{DATA:api_func_path})? %{GREEDYDATA:message}" ] add_tag => [ "routes-get-request" ] break_on_match => false overwrite => ["message"] # overwrites original message with whats left tag_on_failure => [] } #----------------------------------------------------------------------- if "routes-get-request" in [tags] { #------------------------------------------------------------------- # Tenants GET requests i.e.: # 1) keystone.log: Matched GET /tenants/47942f2dc60d4b88804b8573c0e78d7e/users __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 # 2) keystone.log: Matched GET /tenants/47942f2dc60d4b88804b8573c0e78d7e/users/29f569a2066745659b4fb080ff3b5a67/roles # __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 if [api_func] == "tenants" { grok { match => [ "api_func_path", "%{WORD:tenant_id}/%{WORD:tenant_func}(/%{WORD:user_id}/%{WORD:user_func})?" ] add_tag => [ "routes-tenants-get-request" ] break_on_match => false remove_field => ["api_func_path"] tag_on_failure => [] } } #------------------------------------------------------------------- # Users GET requests i.e.: # 1) Matched GET /users/965fbe7ab90d4b1b912f85d4eb34d1cd/credentials/OS-EC2 __call__ # # /usr/lib/python2.7/dist-packages/routes/middleware.py:100 if [api_func] == "users" { grok { match => [ "api_func_path", "%{WORD:user_id}/%{WORD:user_func}(/%{PROG:user_func_detail})?" ] add_tag => [ "routes-users-get-request" ] break_on_match => false remove_field => ["api_func_path"] tag_on_failure => [] } } #------------------------------------------------------------------- } #----------------------------------------------------------------------- # Parse & tag routes POST requests #----------------------------------------------------------------------- # routes POSTS requests i.e.: # 1) routes.middleware [-] Matched POST /tokens __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 grok { match => [ "@message", "POST /%{DATA:api_func} %{GREEDYDATA:message}" ] add_tag => [ "routes-post-request" ] break_on_match => false overwrite => ["message"] # overwrites original message with whats left tag_on_failure => [] } #----------------------------------------------------------------------- } #--------------------------------------------------------------------------- } #===============================================================================