From eb4e6731b5becfe86a09830913f3c07717ebc2a0 Mon Sep 17 00:00:00 2001 From: Mohammed Naser Date: Sun, 23 Sep 2018 16:48:11 -0400 Subject: [PATCH] Drop oslofmt tag from checks The filebeat does not ship anything tagged with oslofmt, the openstack tag gives us all we need to parse things correctly. Change-Id: I614e4bc5d85559540a9d616407da993ed90de87e --- .../templates/logstash-pipelines.yml.j2 | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/elk_metrics_6x/templates/logstash-pipelines.yml.j2 b/elk_metrics_6x/templates/logstash-pipelines.yml.j2 index b10f07d8..d1f9c2c1 100644 --- a/elk_metrics_6x/templates/logstash-pipelines.yml.j2 +++ b/elk_metrics_6x/templates/logstash-pipelines.yml.j2 @@ -173,19 +173,17 @@ } } } else if "openstack" in [tags] { - if "oslofmt" in [tags] { - if "Can not find policy directory: policy.d" in [message] { - drop { } - } - grok { - match => { - "message" => [ - "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?", - "^%{CISCOTIMESTAMP:journalddate}%{SPACE}%{SYSLOGHOST:host}%{SPACE}%{SYSLOGPROG:prog}%{SPACE}%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}%{SPACE}%{NOTSPACE:loglevel}%{SPACE}%{NOTSPACE:module}%{SPACE}%{GREEDYDATA:logmessage}" - ] - } - add_field => { "received_at" => "%{@timestamp}" } + if "Can not find policy directory: policy.d" in [message] { + drop { } + } + grok { + match => { + "message" => [ + "^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?", + "^%{CISCOTIMESTAMP:journalddate}%{SPACE}%{SYSLOGHOST:host}%{SPACE}%{SYSLOGPROG:prog}%{SPACE}%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}%{SPACE}%{NOTSPACE:loglevel}%{SPACE}%{NOTSPACE:module}%{SPACE}%{GREEDYDATA:logmessage}" + ] } + add_field => { "received_at" => "%{@timestamp}" } } if "nova" in [tags] { mutate {