#=============================================================================== filter { #--------------------------------------------------------------------------- # Parse & tag generic openstack log message grok { match => { "@message" => "%{TIMESTAMP_ISO8601:os_timestamp} %{POSINT:os_program_pid} %{AUDITLOGLEVEL:os_level} %{OPENSTACK_FUNCTION:openstack_function} %{OPENSTACK_CODE:openstack_code} %{GREEDYDATA:openstack_message}" } # add_tag => [ "openstack-generic" ] break_on_match => false tag_on_failure => [] } #--------------------------------------------------------------------------- # Parse & tag specific openstack project log messages if "openstack-generic" in [tags] { #--------------------------------------------------------------------------- # Parse & tag multiline logs where subsequent lines are added to the original, previous line # multiline { # pattern => "^(([0-9]+-(?:0?[1-9]|1[0-2])-(?:3[01]|[1-2]?[0-9]|0?[1-9]))|((?:0?[1-9]|1[0-2])/(?:3[01]|[1-2]?[0-9]|0?[1-9]))).*$" # negate => true # what => "previous" # } #----------------------------------------------------------------------- # Parse & tag generic nova logs # i.e.: # 1) nova-api-os-compute.log: nova.osapi_compute.wsgi.server [-] (11093) accepted ('192.168.1.100', 53437) # 2) nova-compute.log: nova.compute.resource_tracker [-] Auditing locally available compute resources grok { match => ["os_program", "nova.%{GREEDYDATA:os_program_path}"] add_tag => [ "nova-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic keystoneclient logs (as used by nova) # i.e.: # 1) nova-api-os-compute.log: keystonemiddleware.auth_token [-] Using /tmp/keystone-signing-FI3PTe as cache directory for signing certificate grok { match => ["os_program", "keystonemiddleware.%{GREEDYDATA:os_program_path}"] add_tag => [ "keystoneclient-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic keystone logs # i.e.: # 1) keystone.log: keystone.common.controller [-] RBAC: Bypassing authorization # 2) keystone.log: keystone-all [-] Configuration options gathered from: log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1929 grok { match => ["os_program", "keystone[.-]%{GREEDYDATA:os_program_path}"] add_tag => [ "keystone-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic routes logs (as used by keystone & nova) # i.e.: # 1) keystone.log: routes.middleware [-] Initialized with method overriding = True, and path info altering = True __init__ /usr/lib/python2.7/dist-packages/routes/middleware.py:41 # 2) keystone.log: routes.middleware [-] Matched GET /tenants __call__ /usr/lib/python2.7/dist-packages/routes/middleware.py:100 grok { match => ["os_program", "routes[.-]%{GREEDYDATA:os_program_path}"] add_tag => [ "routes-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic sqlalchemy logs (as used by keystone) # i.e.: # 1) keystone.log: 2014-06-10 13:41:24.789 18755 INFO sqlalchemy.engine.base.Engine [-] ('default',) grok { match => ["os_program", "sqlalchemy.%{GREEDYDATA:os_program_path}"] add_tag => [ "sqlalchemy-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic cinder logs # i.e.: # 1) cinder.log: 2014-06-11 16:00:30.546 4131 INFO cinder.api.openstack.wsgi [-] http://10.127.26.62:8776/ returned with HTTP 200 grok { match => ["os_program", "cinder.%{GREEDYDATA:os_program_path}"] add_tag => [ "cinder-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic neutron logs # i.e.: # 1) neutron.log: 2014-06-11 16:00:30.546 4131 INFO cinder.api.openstack.wsgi [-] http://10.127.26.62:8776/ returned with HTTP 200 grok { match => ["os_program", "neutron.%{GREEDYDATA:os_program_path}"] add_tag => [ "neutron-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic glance logs grok { match => ["os_program", "glance.%{GREEDYDATA:os_program_path}"] add_tag => [ "glance-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Parse & tag generic heat logs grok { match => ["os_program", "heat.%{GREEDYDATA:os_program_path}"] add_tag => [ "heat-generic" ] break_on_match => false tag_on_failure => [] } #----------------------------------------------------------------------- # Generic Apache log (primarily GET/POST requests as seen in keystone) # i.e.: # 1) 192.168.1.100 - - [10/Jun/2014:11:43:14 +0000] "POST http://192.168.1.100:5000/v2.0/tokens HTTP/1.0" 200 8374 grok { match => [ "message", "%{COMMONAPACHELOG}" ] add_tag => [ "generic-apache-request" ] break_on_match => false remove_field => ["message"] # overwrites original message with whats left tag_on_failure => [] } #----------------------------------------------------------------------- } #--------------------------------------------------------------------------- } #===============================================================================