logstash-lib 1.3.2

data/lib/logstash/filters/geoip.rb

@@ -0,0 +1,145 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "tempfile"
+
+# Add GeoIP fields from Maxmind database
+#
+# GeoIP filter, adds information about the geographical location of IP addresses.
+#
+# Starting at version 1.3.0 of logstash, a [geoip][location] field is created if
+# the GeoIP lookup returns a latitude and longitude. The field is stored in
+# [GeoJSON](http://geojson.org/geojson-spec.html) format. Additionally,
+# the default Elasticsearch template provided with the
+# [elasticsearch output](../outputs/elasticsearch.html)
+# maps the [geoip][location] field to a [geo_point](http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html).
+#
+# As this field is a geo\_point _and_ it is still valid GeoJSON, you get
+# the awesomeness of Elasticsearch's geospatial query, facet and filter functions
+# and the flexibility of having GeoJSON for all other applications (like Kibana's
+# [bettermap panel](https://github.com/elasticsearch/kibana/tree/master/src/app/panels/bettermap)).
+#
+# Logstash releases ship with the GeoLiteCity database made available from
+# Maxmind with a CCA-ShareAlike 3.0 license. For more details on GeoLite, see
+# <http://www.maxmind.com/en/geolite>.
+class LogStash::Filters::GeoIP < LogStash::Filters::Base
+  config_name "geoip"
+  milestone 1
+
+  # GeoIP database file to use, Country, City, ASN, ISP and organization
+  # databases are supported
+  #
+  # If not specified, this will default to the GeoLiteCity database that ships
+  # with logstash.
+  config :database, :validate => :path
+
+  # The field containing the IP address or hostname to map via geoip. If
+  # this field is an array, only the first value will be used.
+  config :source, :validate => :string, :required => true
+
+  # Array of geoip fields that we want to be included in our event.
+  #
+  # Possible fields depend on the database type. By default, all geoip fields
+  # are included in the event.
+  #
+  # For the built in GeoLiteCity database, the following are available:
+  # city\_name, continent\_code, country\_code2, country\_code3, country\_name,
+  # dma\_code, ip, latitude, longitude, postal\_code, region\_name, timezone
+  config :fields, :validate => :array
+
+  # Specify into what field you want the geoip data.
+  # This can be useful for example if you have a src\_ip and dst\_ip and want
+  # information of both IP's.
+  #
+  # If you save the data to another target than "geoip" and want to use the
+  # geo\_point related functions in elasticsearch, you need to alter the template
+  # provided with the elasticsearch output and configure the output to use the
+  # new template.
+  #
+  # Even if you don't use the geo\_point mapping, the [target][location] field
+  # is still valid GeoJSON.
+  config :target, :validate => :string, :default => 'geoip'
+
+  public
+  def register
+    require "geoip"
+    if @database.nil?
+      if __FILE__ =~ /^(jar:)?file:\/.+!.+/
+        begin
+          # Running from a jar, assume GeoLiteCity.dat is at the root.
+          jar_path = [__FILE__.split("!").first, "/GeoLiteCity.dat"].join("!")
+          tmp_file = Tempfile.new('logstash-geoip')
+          tmp_file.write(File.read(jar_path))
+          tmp_file.close # this file is reaped when ruby exits
+          @database = tmp_file.path
+        rescue => ex
+          raise "Failed to cache, due to: #{ex}\n#{ex.backtrace}"
+        end
+      else
+        if File.exists?("GeoLiteCity.dat")
+          @database = "GeoLiteCity.dat"
+        elsif File.exists?("vendor/geoip/GeoLiteCity.dat")
+          @database = "vendor/geoip/GeoLiteCity.dat"
+        else
+          raise "You must specify 'database => ...' in your geoip filter"
+        end
+      end
+    end
+    @logger.info("Using geoip database", :path => @database)
+    @geoip = ::GeoIP.new(@database)
+
+    @geoip_type = case @geoip.database_type
+    when GeoIP::GEOIP_CITY_EDITION_REV0, GeoIP::GEOIP_CITY_EDITION_REV1
+      :city
+    when GeoIP::GEOIP_COUNTRY_EDITION
+      :country
+    when GeoIP::GEOIP_ASNUM_EDITION
+      :asn
+    when GeoIP::GEOIP_ISP_EDITION, GeoIP::GEOIP_ORG_EDITION
+      :isp
+    else
+      raise RuntimeException.new "This GeoIP database is not currently supported"
+    end
+
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+    geo_data = nil
+
+    begin
+      ip = event[@source]
+      ip = ip.first if ip.is_a? Array
+      geo_data = @geoip.send(@geoip_type, ip)
+    rescue SocketError => e
+      @logger.error("IP Field contained invalid IP address or hostname", :field => @field, :event => event)
+    rescue Exception => e
+      @logger.error("Unknown error while looking up GeoIP data", :exception => e, :field => @field, :event => event)
+    end
+
+    return if geo_data.nil?
+
+    geo_data_hash = geo_data.to_hash
+    geo_data_hash.delete(:request)
+    event[@target] = {} if event[@target].nil?
+    geo_data_hash.each do |key, value|
+      next if value.nil? || (value.is_a?(String) && value.empty?)
+      if @fields.nil? || @fields.empty?
+        # no fields requested, so add all geoip hash items to
+        # the event's fields.
+        # convert key to string (normally a Symbol)
+        event[@target][key.to_s] = value
+      elsif @fields.include?(key.to_s)
+        # Check if the key is in our fields array
+        # convert key to string (normally a Symbol)
+        event[@target][key.to_s] = value
+      end
+    end # geo_data_hash.each
+    if event[@target].key?('latitude') && event[@target].key?('longitude')
+      # If we have latitude and longitude values, add the location field as GeoJSON array
+      event[@target]['location'] = [ event[@target]["longitude"].to_f, event[@target]["latitude"].to_f ]
+    end
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::GeoIP

data/lib/logstash/filters/grep.rb

@@ -0,0 +1,153 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+
+# Grep filter. Useful for dropping events you don't want to pass, or
+# adding tags or fields to events that match.
+#
+# Events not matched are dropped. If 'negate' is set to true (defaults false),
+# then matching events are dropped.
+class LogStash::Filters::Grep < LogStash::Filters::Base
+
+  config_name "grep"
+  milestone 3
+
+  # Drop events that don't match
+  #
+  # If this is set to false, no events will be dropped at all. Rather, the
+  # requested tags and fields will be added to matching events, and
+  # non-matching events will be passed through unchanged.
+  config :drop, :validate => :boolean, :default => true
+
+  # Negate the match. Similar to 'grep -v'
+  #
+  # If this is set to true, then any positive matches will result in the
+  # event being cancelled and dropped. Non-matching will be allowed
+  # through.
+  config :negate, :validate => :boolean, :default => false
+
+  # A hash of matches of field => regexp.  If multiple matches are specified,
+  # all must match for the grep to be considered successful.  Normal regular
+  # expressions are supported here.
+  #
+  # For example:
+  #
+  #     filter {
+  #       grep {
+  #         match => [ "message", "hello world" ]
+  #       }
+  #     }
+  #
+  # The above will drop all events with a message not matching "hello world" as
+  # a regular expression.
+  config :match, :validate => :hash, :default => {}
+
+  # Use case-insensitive matching. Similar to 'grep -i'
+  #
+  # If enabled, ignore case distinctions in the patterns.
+  config :ignore_case, :validate => :boolean, :default => false
+
+  public
+  def register
+    @logger.warn("The 'grep' plugin is no longer necessary now that you can do if/elsif/else in logstash configs. This plugin will be removed in the future. If you need to drop events, please use the drop filter. If you need to take action based on a match, use an 'if' block and the mutate filter. See the following URL for details on how to use if/elsif/else in your logstash configs:http://logstash.net/docs/#{LOGSTASH_VERSION}/configuration")
+
+    @patterns = Hash.new { |h,k| h[k] = [] }
+
+      # TODO(sissel): 
+    @match.each do |field, pattern|
+
+      pattern = [pattern] if pattern.is_a?(String)
+      pattern.each do |p|
+        re = Regexp.new(p, @ignore_case ? Regexp::IGNORECASE : 0)
+        @patterns[field] << re
+        @logger.debug? and @logger.debug("Registered grep", :type => @type, :field => field,
+                    :pattern => p, :regexp => re)
+      end
+    end # @match.merge.each
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    @logger.debug("Running grep filter", :event => event, :config => config)
+    matches = 0
+
+    # If negate is set but no patterns are given, drop the event.
+    # This is useful in cases where you want to drop all events with
+    # a given type or set of tags
+    #
+    # filter {
+    #   grep {
+    #     negate => true
+    #     type => blah
+    #   }
+    # }
+    if @negate && @patterns.empty?
+      event.cancel
+      return
+    end
+
+    @patterns.each do |field, regexes|
+      # For each match object, we have to match everything in order to
+      # apply any fields/tags.
+      match_count = 0
+      match_want = 0
+      regexes.each do |re|
+        match_want += 1
+
+        # Events without this field, with negate enabled, count as a match.
+        # With negate disabled, we can't possibly match, so skip ahead.
+        if event[field].nil?
+          if @negate
+            msg = "Field not present, but negate is true; marking as a match"
+            @logger.debug(msg, :field => field, :event => event)
+            match_count += 1
+          else
+            @logger.debug("Skipping match object, field not present",
+                          :field => field, :event => event)
+          end
+          # Either way, don't try to process -- may end up with extra unwanted
+          # +1's to match_count
+          next
+        end
+
+        (event[field].is_a?(Array) ? event[field] : [event[field]]).each do |value|
+          value = value.to_s if value.is_a?(Numeric)
+          if @negate
+            @logger.debug("negate match", :regexp => re, :value => value)
+            next if re.match(value)
+            @logger.debug("grep not-matched (negate requested)", field => value)
+          else
+            @logger.debug("want match", :regexp => re, :value => value)
+            next unless re.match(value)
+            @logger.debug("grep matched", field => value)
+          end
+          match_count += 1
+          break
+        end # each value in event[field]
+      end # regexes.each
+
+      if match_count == match_want
+        matches += 1
+        @logger.debug("matched all fields", :count => match_count)
+      else
+        @logger.debug("match failed", :count => match_count, :wanted => match_want)
+      end # match["match"].each
+    end # @patterns.each
+
+    if matches == @patterns.length
+      filter_matched(event)
+    else
+      if @drop == true
+        @logger.debug("grep: dropping event, no matches")
+        event.cancel
+      else
+        @logger.debug("grep: no matches, but drop set to false")
+      end
+      return
+    end
+
+    @logger.debug("Event after grep filter", :event => event)
+  end # def filter
+end # class LogStash::Filters::Grep

data/lib/logstash/filters/grok.rb

@@ -0,0 +1,425 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "set"
+
+# Parse arbitrary text and structure it.
+#
+# Grok is currently the best way in logstash to parse crappy unstructured log
+# data into something structured and queryable.
+#
+# This tool is perfect for syslog logs, apache and other webserver logs, mysql
+# logs, and in general, any log format that is generally written for humans
+# and not computer consumption.
+#
+# Logstash ships with about 120 patterns by default. You can find them here:
+# <https://github.com/logstash/logstash/tree/v%VERSION%/patterns>. You can add
+# your own trivially. (See the patterns_dir setting)
+#
+# If you need help building patterns to match your logs, you will find the
+# <http://grokdebug.herokuapp.com> too quite useful!
+#
+# #### Grok Basics
+#
+# Grok works by combining text patterns into something that matches your
+# logs.
+#
+# The syntax for a grok pattern is `%{SYNTAX:SEMANTIC}`
+#
+# The `SYNTAX` is the name of the pattern that will match your text. For
+# example, "3.44" will be matched by the NUMBER pattern and "55.3.244.1" will
+# be matched by the IP pattern. The syntax is how you match.
+#
+# The `SEMANTIC` is the identifier you give to the piece of text being matched.
+# For example, "3.44" could be the duration of an event, so you could call it
+# simply 'duration'. Further, a string "55.3.244.1" might identify the 'client'
+# making a request.
+#
+# Optionally you can add a data type conversion to your grok pattern. By default
+# all semantics are saved as strings. If you wish to convert a semantic's data type,
+# for example change a string to an integer then suffix it with the target data type.
+# For example `%{NUMBER:num:int}` which converts the 'num' semantic from a string to an
+# integer. Currently the only supported conversions are `int` and `float`.
+#
+# #### Example
+#
+# With that idea of a syntax and semantic, we can pull out useful fields from a
+# sample log like this fictional http request log:
+#
+#     55.3.244.1 GET /index.html 15824 0.043
+#
+# The pattern for this could be:
+#
+#     %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}
+#
+# A more realistic example, let's read these logs from a file:
+#
+#     input {
+#       file {
+#         path => "/var/log/http.log"
+#       }
+#     }
+#     filter {
+#       grok {
+#         match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]
+#       }
+#     }
+#
+# After the grok filter, the event will have a few extra fields in it:
+#
+# * client: 55.3.244.1
+# * method: GET
+# * request: /index.html
+# * bytes: 15824
+# * duration: 0.043
+#
+# #### Regular Expressions
+#
+# Grok sits on top of regular expressions, so any regular expressions are valid
+# in grok as well. The regular expression library is Oniguruma, and you can see
+# the full supported regexp syntax [on the Onigiruma
+# site](http://www.geocities.jp/kosako3/oniguruma/doc/RE.txt)
+#
+# #### Custom Patterns
+#
+# Sometimes logstash doesn't have a pattern you need. For this, you have
+# a few options.
+#
+# First, you can use the Oniguruma syntax for 'named capture' which will
+# let you match a piece of text and save it as a field:
+#
+#     (?<field_name>the pattern here)
+#
+# For example, postfix logs have a 'queue id' that is an 10 or 11-character
+# hexadecimal value. I can capture that easily like this:
+#
+#     (?<queue_id>[0-9A-F]{10,11})
+#
+# Alternately, you can create a custom patterns file. 
+#
+# * Create a directory called `patterns` with a file in it called `extra`
+#   (the file name doesn't matter, but name it meaningfully for yourself)
+# * In that file, write the pattern you need as the pattern name, a space, then
+#   the regexp for that pattern.
+#
+# For example, doing the postfix queue id example as above:
+#
+#     # in ./patterns/postfix 
+#     POSTFIX_QUEUEID [0-9A-F]{10,11}
+#
+# Then use the `patterns_dir` setting in this plugin to tell logstash where
+# your custom patterns directory is. Here's a full example with a sample log:
+#
+#     Jan  1 06:25:43 mailserver14 postfix/cleanup[21403]: BEF25A72965: message-id=<20130101142543.5828399CCAF@mailserver14.example.com>
+#
+#     filter {
+#       grok {
+#         patterns_dir => "./patterns"
+#         match => [ "message", "%{SYSLOGBASE} %{POSTFIX_QUEUEID:queue_id}: %{GREEDYDATA:syslog_message}" ]
+#       }
+#     }
+#
+# The above will match and result in the following fields:
+#
+# * timestamp: Jan  1 06:25:43
+# * logsource: mailserver14
+# * program: postfix/cleanup
+# * pid: 21403
+# * queue_id: BEF25A72965
+# * syslog_message: message-id=<20130101142543.5828399CCAF@mailserver14.example.com
+#
+# The `timestamp`, `logsource`, `program`, and `pid` fields come from the
+# SYSLOGBASE pattern which itself is defined by other patterns.
+class LogStash::Filters::Grok < LogStash::Filters::Base
+  config_name "grok"
+  milestone 3
+
+  # Specify a pattern to parse with. This will match the 'message' field.
+  #
+  # If you want to match other fields than message, use the 'match' setting.
+  # Multiple patterns is fine.
+  config :pattern, :validate => :array, :deprecated => "You should use this instead: match => { \"message\" => \"your pattern here\" }"
+
+  # A hash of matches of field => value
+  #
+  # For example:
+  #
+  #     filter {
+  #       grok {
+  #         match => [ "message", "Duration: %{NUMBER:duration}" ]
+  #       }
+  #     }
+  #
+  config :match, :validate => :hash, :default => {}
+
+  #
+  # logstash ships by default with a bunch of patterns, so you don't
+  # necessarily need to define this yourself unless you are adding additional
+  # patterns.
+  #
+  # Pattern files are plain text with format:
+  #
+  #     NAME PATTERN
+  #
+  # For example:
+  #
+  #     NUMBER \d+
+  config :patterns_dir, :validate => :array, :default => []
+
+  # Drop if matched. Note, this feature may not stay. It is preferable to combine
+  # grok + grep filters to do parsing + dropping.
+  #
+  # requested in: googlecode/issue/26
+  config :drop_if_match, :validate => :boolean, :default => false
+
+  # Break on first match. The first successful match by grok will result in the
+  # filter being finished. If you want grok to try all patterns (maybe you are
+  # parsing different things), then set this to false.
+  config :break_on_match, :validate => :boolean, :default => true
+
+  # If true, only store named captures from grok.
+  config :named_captures_only, :validate => :boolean, :default => true
+
+  # If true, keep empty captures as event fields.
+  config :keep_empty_captures, :validate => :boolean, :default => false
+
+  # If true, make single-value fields simply that value, not an array
+  # containing that one value.
+  config :singles, :validate => :boolean, :default => true, :deprecated => "This behavior is the default now, you don't need to set it."
+
+  # Append values to the 'tags' field when there has been no
+  # successful match
+  config :tag_on_failure, :validate => :array, :default => ["_grokparsefailure"]
+
+  # The fields to overwrite.
+  #
+  # This allows you to overwrite a value in a field that already exists.
+  #
+  # For example, if you have a syslog line in the 'message' field, you can
+  # overwrite the 'message' field with part of the match like so:
+  #
+  #     filter {
+  #       grok {
+  #         match => [ 
+  #           "message",
+  #           "%{SYSLOGBASE} %{DATA:message}
+  #         ]
+  #         overwrite => [ "message" ]
+  #       }
+  #     }
+  #
+  #  In this case, a line like "May 29 16:37:11 sadness logger: hello world"
+  #  will be parsed and 'hello world' will overwrite the original message.
+  config :overwrite, :validate => :array, :default => []
+
+  # Detect if we are running from a jarfile, pick the right path.
+  @@patterns_path ||= Set.new
+  if __FILE__ =~ /file:\/.*\.jar!.*/
+    @@patterns_path += ["#{File.dirname(__FILE__)}/../../patterns/*"]
+  else
+    @@patterns_path += ["#{File.dirname(__FILE__)}/../../../patterns/*"]
+  end
+
+  public
+  def initialize(params)
+    super(params)
+    @match["message"] ||= []
+    @match["message"] += @pattern if @pattern # the config 'pattern' value (array)
+    # a cache of capture name handler methods.
+    @handlers = {}
+  end
+
+  public
+  def register
+    require "grok-pure" # rubygem 'jls-grok'
+
+    @patternfiles = []
+
+    # Have @@patterns_path show first. Last-in pattern definitions win; this
+    # will let folks redefine built-in patterns at runtime.
+    @patterns_dir = @@patterns_path.to_a + @patterns_dir
+    @logger.info? and @logger.info("Grok patterns path", :patterns_dir => @patterns_dir)
+    @patterns_dir.each do |path|
+      # Can't read relative paths from jars, try to normalize away '../'
+      while path =~ /file:\/.*\.jar!.*\/\.\.\//
+        # replace /foo/bar/../baz => /foo/baz
+        path = path.gsub(/[^\/]+\/\.\.\//, "")
+        @logger.debug? and @logger.debug("In-jar path to read", :path => path)
+      end
+
+      if File.directory?(path)
+        path = File.join(path, "*")
+      end
+
+      Dir.glob(path).each do |file|
+        @logger.info? and @logger.info("Grok loading patterns from file", :path => file)
+        @patternfiles << file
+      end
+    end
+
+    @patterns = Hash.new { |h,k| h[k] = [] }
+
+    @logger.info? and @logger.info("Match data", :match => @match)
+
+    @match.each do |field, patterns|
+      patterns = [patterns] if patterns.is_a?(String)
+
+      if !@patterns.include?(field)
+        @patterns[field] = Grok::Pile.new
+        #@patterns[field].logger = @logger
+
+        add_patterns_from_files(@patternfiles, @patterns[field])
+      end
+      @logger.info? and @logger.info("Grok compile", :field => field, :patterns => patterns)
+      patterns.each do |pattern|
+        @logger.debug? and @logger.debug("regexp: #{@type}/#{field}", :pattern => pattern)
+        @patterns[field].compile(pattern)
+      end
+    end # @match.each
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    matched = false
+    done = false
+
+    @logger.debug? and @logger.debug("Running grok filter", :event => event);
+    @patterns.each do |field, grok|
+      if match(grok, field, event)
+        matched = true
+        break if @break_on_match
+      end
+      #break if done
+    end # @patterns.each
+
+    if matched
+      filter_matched(event)
+    else
+      # Tag this event if we can't parse it. We can use this later to
+      # reparse+reindex logs if we improve the patterns given.
+      @tag_on_failure.each do |tag|
+        event["tags"] ||= []
+        event["tags"] << tag unless event["tags"].include?(tag)
+      end
+    end
+
+    @logger.debug? and @logger.debug("Event now: ", :event => event)
+  end # def filter
+
+  private
+  def match(grok, field, event)
+    input = event[field]
+    if input.is_a?(Array)
+      success = true
+      input.each do |input|
+        grok, match = grok.match(input)
+        if match
+          match.each_capture do |capture, value|
+            handle(capture, value, event)
+          end
+        else
+          success = false
+        end
+      end
+      return success
+    #elsif input.is_a?(String)
+    else
+      # Convert anything else to string (number, hash, etc)
+      grok, match = grok.match(input.to_s)
+      return false if !match
+
+      match.each_capture do |capture, value|
+        handle(capture, value, event)
+      end
+      return true
+    end
+  rescue StandardError => e
+    @logger.warn("Grok regexp threw exception", :exception => e.message)
+  end
+
+  private
+  def handle(capture, value, event)
+    handler = @handlers[capture] ||= compile_capture_handler(capture)
+    return handler.call(value, event)
+  end
+
+  private
+  def compile_capture_handler(capture)
+    # SYNTAX:SEMANTIC:TYPE
+    syntax, semantic, coerce = capture.split(":")
+
+    # each_capture do |fullname, value|
+    #   capture_handlers[fullname].call(value, event) 
+    # end
+
+    code = []
+    code << "# for capture #{capture}"
+    code << "lambda do |value, event|"
+    #code << "  p :value => value, :event => event"
+    if semantic.nil?
+      if @named_captures_only 
+        # Abort early if we are only keeping named (semantic) captures
+        # and this capture has no semantic name.
+        code << "  return"
+      else
+        field = syntax
+      end
+    else
+      field = semantic
+    end
+    code << "  return if value.nil? || value.empty?" unless @keep_empty_captures
+    if coerce
+      case coerce
+        when "int"; code << "  value = value.to_i"
+        when "float"; code << "  value = value.to_f"
+      end
+    end
+
+    code << "  # field: #{field}"
+    if @overwrite.include?(field)
+      code << "  event[field] = value"
+    else
+      code << "  v = event[field]"
+      code << "  if v.nil?"
+      code << "    event[field] = value"
+      code << "  elsif v.is_a?(Array)"
+      code << "    event[field] << value"
+      code << "  elsif v.is_a?(String)"
+      # Promote to array since we aren't overwriting.
+      code << "    event[field] = [v, value]"
+      code << "  end"
+    end
+    code << "  return"
+    code << "end"
+
+    #puts code
+    return eval(code.join("\n"), binding, "<grok capture #{capture}>")
+  end # def compile_capture_handler
+
+  private
+  def add_patterns_from_files(paths, pile)
+    paths.each { |path| add_patterns_from_file(path, pile) }
+  end # def add_patterns_from_files
+
+  private
+  def add_patterns_from_file(path, pile)
+    # Check if the file path is a jar, if so, we'll have to read it ourselves
+    # since libgrok won't know what to do with it.
+    if path =~ /file:\/.*\.jar!.*/
+      File.new(path).each do |line|
+        next if line =~ /^(?:\s*#|\s*$)/
+        # In some cases I have seen 'file.each' yield lines with newlines at
+        # the end. I don't know if this is a bug or intentional, but we need
+        # to chomp it.
+        name, pattern = line.chomp.split(/\s+/, 2)
+        @logger.debug? and @logger.debug("Adding pattern from file", :name => name,
+                                         :pattern => pattern, :path => path)
+        pile.add_pattern(name, pattern)
+      end
+    else
+      pile.add_patterns_from_file(path)
+    end
+  end # def add_patterns_from_file
+end # class LogStash::Filters::Grok