Fast development of Grok / Logstash extractions and fields
Posted in Operating Systems, Linux, Tips on Monday, July 16, 2018 by cam
I had the fun times of trying to write grok rules in a particular way along with a complicated pipeline. I got tried of pushing the rules and restarting logstash, there had to be a better way!
This is want I ended up doing on my development system:
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.3.1.rpm yum localinstall logstash-6.3.1.rpm
Create your pipeline in: /etc/logstash/conf.d/
Create the following example files:
/tmp/input.txt:
2018-07-16T01:53:28.716258+00:00 acme-host1 sshd[12522]: Disconnected from 8.8.8.8 port 37972
000-file-in.conf:
input {
file {
path => [ "/tmp/input.txt" ]
start_position => beginning
type => "test"
add_field => { "sourcetype" => "test" }
sincedb_path => "/dev/null"
}
}
25-filter.conf:
filter {
if [type] == "test" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601} %{SYSLOGHOST:logsource} %{SYSLOGPROG}?: %{GREEDYDATA:message}" }
overwrite => [ "message" ]
add_tag => [ "p25vls" ]
}
date {
locale => "en"
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
timezone => "UTC"
}
}
}
999-output.conf:
output {
stdout { codec => rubydebug }
}
Run:
/usr/share/logstash/bin/logstash -r -f /etc/logstash/conf.d/
Give it a minute, because well Java
Now in a second window, modify you pipeline (or file 25-filter.conf etc), save it.
You should see Logstash reprocess the data from ‘/tmp/input.txt’
Happy iterational development :-)