From 9d948492a9b30438dbeded28d1e699e801230961 Mon Sep 17 00:00:00 2001 From: shanedaniel Date: Wed, 25 Oct 2017 16:11:44 -0400 Subject: Add logstash parsing for SDC-BE and AAI-ML Issue-ID: LOG-87 Change-Id: Iedcc36287a3858335a8801852141323acb6f4545 Signed-off-by: shanedaniel --- elasticstack/logstash/conf/onap-pipeline.conf | 65 +++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 8 deletions(-) (limited to 'elasticstack/logstash') diff --git a/elasticstack/logstash/conf/onap-pipeline.conf b/elasticstack/logstash/conf/onap-pipeline.conf index a382edc..ed3240d 100644 --- a/elasticstack/logstash/conf/onap-pipeline.conf +++ b/elasticstack/logstash/conf/onap-pipeline.conf @@ -117,8 +117,12 @@ filter { } # Filter for logback events else { + +# mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug + mutate { gsub => [ + 'message', ' = ', '=', 'message', '= ', '=null', 'message', '=\t', '=null ', #This null is followed by a tab 'message', '\t$', '\t' @@ -130,7 +134,9 @@ filter { "message" => ["%{TIMESTAMP_ISO8601:Timestamp}\t%{GREEDYDATA:Thread}\t%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}\t%{JAVACLASS:Logger}\t(?:[^\t]+\t)*%{GREEDYDATA:message}", "(?.*\t)" ] - "source" => ["/var/log/onap/(?[^/]+)/"] + "source" => ["/var/log/onap/(?[^/]+)/", + "/var/log/onap/%{GREEDYDATA:componentLogFile}" + ] } overwrite => ["message"] } @@ -141,8 +147,50 @@ filter { trim_value => "\s" remove_field => [ "MDCs" ] } - } -} + + date { + match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ] + target => "Timestamp" + } + + if [source] == "/var/log/onap/aai/aai-ml/metrics.log" { + csv { + source => "message" + separator => "|" + quote_char => "`" + columns => ["Begin TS", "End TS", "DuplicateRequestID", "Unknown1", "threadID", "phys/virt server name", "service name", "Partner Name", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Log level", "Unknown8", "Unknown9", "Status code", "Server", "Unknown10", "Unknown11", "Unknown12", "Unknown13", "Unknown14", "Unknown15", "Unknown16", "Unknown17", "Unknown18", "message"] + } + } + else if [source] == "/var/log/onap/aai/aai-ml/audit.log" { + csv { + source => "message" + separator => "|" + quote_char => "`" + columns => ["Begin TS", "End TS", "DuplicateRequestID", "Unknown1", "threadID", "phys/virt server name", "service name", "Partner Name", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Log level", "Unknown6", "Unknown7", "Status code", "Server", "Unknown10", "Unknown11", "Unknown12", "Unknown13", "Unknown14", "Unknown15", "Unknown16", "Unknown17", "message"] + } + } + + mutate { + remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8", "Unknown9", "Unknown10", "Unknown11", "Unknown12", "Unknown13", "Unknown14", "Unknown15", "Unknown16", "Unknown17", "Unknown18"] + } + + if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") { + + #Parse kvps in message + kv { + field_split => "\s" + trim_key => "\s" + trim_value => "\s" + } + + #If Request Id is missing and DID is present use as RequestId + if (![RequestId] and [DID] =~ /.+/) { + mutate { add_field => { "RequestId" => "%{DID}" } } + } + } + + } #Close else statement for logback events +} #Close filter output { @@ -154,7 +202,7 @@ output { user => $es_user password => $es_password - ## The .cer or .pem file to validate the server’s certificate + ## The .cer or .pem file to validate the server's certificate #cacert => $es_cacert ## The keystore used to present a certificate to the server. It can be either .jks or .p12 @@ -165,10 +213,10 @@ output { ## Default is not set which in that case depends on the protocol specidfied in hosts list #ssl => $es_ssl - ## Option to validate the server’s certificate. Default is true + ## Option to validate the server's certificate. Default is true #ssl_certificate_verification => $es_ssl_certificate_verification - ## The JKS truststore to validate the server’s certificate. + ## The JKS truststore to validate the server's certificate. #truststore => $es_truststore #truststore_password => $es_truststore_password @@ -177,7 +225,7 @@ output { #can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered ##Also protocol can be specified like ["http://10.247.186.12:9200"] - hosts => ["http://elasticsearch.onap:9200"] + hosts => ["http://elasticsearch.onap-log:9200"] ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false. @@ -205,4 +253,5 @@ output { ## This can be used to associate child documents with a parent using the parent ID. #parent => "abcd' } -} \ No newline at end of file +} + -- cgit 1.2.3-korg