RubyGems - logstash-lite - Versions diffs - 0.2.20101118134500 - Mend

logstash-lite 0.2.20101118134500

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

data/bin/logstash +56 -0
data/bin/logstash-web +6 -0
data/etc/logstash-elasticsearch-rabbitmq-river.yaml +41 -0
data/etc/logstash-mongodb-storage.yaml +5 -0
data/etc/logstash-parser.yaml +20 -0
data/etc/logstash-reader.yaml +8 -0
data/etc/logstash-shipper.yaml +18 -0
data/etc/logstash-standalone.yaml +47 -0
data/etc/prod.yaml +38 -0
data/etc/redhat/logstash +92 -0
data/etc/redhat/logstash-agent +83 -0
data/etc/redhat/logstash-agent.sysconfig +7 -0
data/etc/redhat/logstash.spec +171 -0
data/etc/redhat/logstash.sysconfig +18 -0
data/etc/tograylog.yaml +37 -0
data/examples/test.rb +38 -0
data/lib/logstash.rb +3 -0
data/lib/logstash/agent.rb +116 -0
data/lib/logstash/event.rb +70 -0
data/lib/logstash/filters.rb +17 -0
data/lib/logstash/filters/base.rb +17 -0
data/lib/logstash/filters/date.rb +59 -0
data/lib/logstash/filters/field.rb +29 -0
data/lib/logstash/filters/grok.rb +74 -0
data/lib/logstash/filters/grokdiscovery.rb +60 -0
data/lib/logstash/inputs.rb +18 -0
data/lib/logstash/inputs/amqp.rb +48 -0
data/lib/logstash/inputs/base.rb +32 -0
data/lib/logstash/inputs/file.rb +47 -0
data/lib/logstash/inputs/syslog.rb +123 -0
data/lib/logstash/inputs/tcp.rb +51 -0
data/lib/logstash/logging.rb +82 -0
data/lib/logstash/namespace.rb +6 -0
data/lib/logstash/outputs.rb +15 -0
data/lib/logstash/outputs/amqp.rb +48 -0
data/lib/logstash/outputs/base.rb +29 -0
data/lib/logstash/outputs/elasticsearch.rb +71 -0
data/lib/logstash/outputs/gelf.rb +35 -0
data/lib/logstash/outputs/mongodb.rb +19 -0
data/lib/logstash/outputs/stdout.rb +15 -0
data/lib/logstash/outputs/websocket.rb +35 -0
data/lib/logstash/time.rb +27 -0
data/lib/logstash/web/lib/elasticsearch.rb +79 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/jquery-ui-1.8.5.custom.css +572 -0
data/lib/logstash/web/public/js/flot/API.txt +1024 -0
data/lib/logstash/web/public/js/flot/FAQ.txt +71 -0
data/lib/logstash/web/public/js/flot/LICENSE.txt +22 -0
data/lib/logstash/web/public/js/flot/Makefile +15 -0
data/lib/logstash/web/public/js/flot/NEWS.txt +340 -0
data/lib/logstash/web/public/js/flot/PLUGINS.txt +105 -0
data/lib/logstash/web/public/js/flot/README.txt +81 -0
data/lib/logstash/web/public/js/flot/examples/ajax.html +143 -0
data/lib/logstash/web/public/js/flot/examples/annotating.html +75 -0
data/lib/logstash/web/public/js/flot/examples/arrow-down.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-left.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-right.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-up.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/basic.html +38 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-1.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-2.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-3.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-4.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-5.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-japan-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-usa-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/dual-axis.html +39 -0
data/lib/logstash/web/public/js/flot/examples/graph-types.html +75 -0
data/lib/logstash/web/public/js/flot/examples/hs-2004-27-a-large_web.jpg +0 -0
data/lib/logstash/web/public/js/flot/examples/image.html +45 -0
data/lib/logstash/web/public/js/flot/examples/index.html +43 -0
data/lib/logstash/web/public/js/flot/examples/interacting.html +93 -0
data/lib/logstash/web/public/js/flot/examples/layout.css +6 -0
data/lib/logstash/web/public/js/flot/examples/navigate.html +118 -0
data/lib/logstash/web/public/js/flot/examples/selection.html +114 -0
data/lib/logstash/web/public/js/flot/examples/setting-options.html +65 -0
data/lib/logstash/web/public/js/flot/examples/stacking.html +77 -0
data/lib/logstash/web/public/js/flot/examples/thresholding.html +54 -0
data/lib/logstash/web/public/js/flot/examples/time.html +71 -0
data/lib/logstash/web/public/js/flot/examples/tracking.html +95 -0
data/lib/logstash/web/public/js/flot/examples/turning-series.html +98 -0
data/lib/logstash/web/public/js/flot/examples/visitors.html +90 -0
data/lib/logstash/web/public/js/flot/examples/zooming.html +98 -0
data/lib/logstash/web/public/js/flot/excanvas.js +1427 -0
data/lib/logstash/web/public/js/flot/excanvas.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.colorhelpers.js +174 -0
data/lib/logstash/web/public/js/flot/jquery.colorhelpers.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.crosshair.js +156 -0
data/lib/logstash/web/public/js/flot/jquery.flot.crosshair.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.image.js +237 -0
data/lib/logstash/web/public/js/flot/jquery.flot.image.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.js +2119 -0
data/lib/logstash/web/public/js/flot/jquery.flot.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.navigate.js +272 -0
data/lib/logstash/web/public/js/flot/jquery.flot.navigate.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.selection.js +299 -0
data/lib/logstash/web/public/js/flot/jquery.flot.selection.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.stack.js +152 -0
data/lib/logstash/web/public/js/flot/jquery.flot.stack.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.threshold.js +103 -0
data/lib/logstash/web/public/js/flot/jquery.flot.threshold.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.js +4376 -0
data/lib/logstash/web/public/js/flot/jquery.min.js +19 -0
data/lib/logstash/web/public/js/jquery-hashchange-1.0.0.js +121 -0
data/lib/logstash/web/public/js/jquery.livequery.js +250 -0
data/lib/logstash/web/public/js/jquery.tmpl.min.js +1 -0
data/lib/logstash/web/public/js/logstash.js +202 -0
data/lib/logstash/web/server.rb +90 -0
data/lib/logstash/web/views/header.haml +8 -0
data/lib/logstash/web/views/layout.haml +21 -0
data/lib/logstash/web/views/main/index.haml +5 -0
data/lib/logstash/web/views/search/ajax.haml +32 -0
data/lib/logstash/web/views/search/results.haml +17 -0
data/lib/logstash/web/views/style.sass +50 -0
data/patterns/firewalls +2 -0
data/patterns/grok-patterns +90 -0
data/patterns/haproxy +5 -0
data/patterns/linux-syslog +7 -0
data/patterns/nagios +7 -0
data/patterns/ruby +2 -0
metadata +228 -0

data/etc/redhat/logstash.sysconfig ADDED Viewed

@@ -0,0 +1,18 @@
+# LogStash configuration
+# Run the indexer. This can be set to false to disable the indexer (and
+# searching) and only parse log lines.
+INDEXER=true
+# Run one parser. For maximum throughput, run one parser per core.
+# This can be set to 0 to disable the parser.
+PARSERS=1
+# Path to config file
+CONFIG=/opt/logstash/etc/logstashd.yaml
+# Set to true for very verbose debugging output
+DEBUG=false
+# Run as the logstash user
+USER=logstash

data/etc/tograylog.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+---
+inputs:
+  linux-syslog:
+  - /var/log/messages
+  - /var/log/kern.log
+  - /var/log/auth.log
+  - /var/log/user.log
+  apache-access:
+  - /var/log/apache2/access.log
+  - /home/jls/logs/access_log
+  apache-error:
+  - /var/log/apache2/error.log
+  - /home/jls/logs/error_log
+filters:
+- grok:
+    linux-syslog: # for logs of type 'linux-syslog'
+      patterns:
+      - %{SYSLOGLINE}
+    apache-access: # for logs of type 'apache-error'
+      patterns:
+      - %{COMBINEDAPACHELOG}
+    nagios:
+      patterns:
+      - %{NAGIOSLOGLINE}
+- date:
+    linux-syslog:  # for logs of type 'linux-syslog'
+      # Look for a field 'timestamp' with this format, parse and it for the timestamp
+      # This field comes from the SYSLOGLINE pattern
+      timestamp: "%b %e %H:%M:%S"
+      timestamp8601: ISO8601
+    apache-access:
+      timestamp: "%d/%b/%Y:%H:%M:%S %Z"
+    nagios:
+      epochtime: %s
+outputs:
+- stdout:///
+- gelf://localhost/

data/examples/test.rb ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+#
+# How to trigger the 'evil ip' message:
+# % logger -t "pantscon" "naughty host 14.33.24.55 $RANDOM"
+require "rubygems"
+require "logstash/agent"
+class MyAgent < LogStash::Agent
+  def receive(event)
+    filter(event)  # Invoke any filters
+    return unless event["progname"][0] == "pantscon"
+    return unless event.message =~ /naughty host/
+    event["IP"].each do |ip|
+      next unless ip.length > 0
+      puts "Evil IP: #{ip}"
+    end
+  end # def receive
+end # class MyAgent
+# Read a local file, parse it, and react accordingly (see MyAgent#receive)
+agent = MyAgent.new({
+  "input" => [
+    "/var/log/messages",
+  ],
+  "filter" => [ "grok" ],
+})
+agent.run
+# Read messages that we expect to be parsed by another agent. Reads
+# a particular AMQP topic for messages
+#agent = MyAgent.new({
+  #"input" => [
+    #"amqp://localhost/topic/parsed",
+  #]
+#})
+#agent.run

data/lib/logstash.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require "logstash/namespace"
+require "logstash/agent"
+require "logstash/event"

data/lib/logstash/agent.rb ADDED Viewed

@@ -0,0 +1,116 @@
+require "eventmachine"
+require "eventmachine-tail"
+require "logstash/namespace"
+require "logstash/inputs"
+require "logstash/outputs"
+require "logstash/filters"
+require "logstash/logging"
+# Collect logs, ship them out.
+class LogStash::Agent
+  attr_reader :config
+  def initialize(config)
+    @logger = LogStash::Logger.new(STDERR)
+    @config = config
+    @outputs = []
+    @inputs = []
+    @filters = []
+    # Config should have:
+    # - list of logs to monitor
+    #   - log config
+    # - where to ship to
+  end # def initialize
+  # Register any event handlers with EventMachine
+  # Technically, this agent could listen for anything (files, sockets, amqp,
+  # stomp, etc).
+  protected
+  def register
+    # TODO(sissel): warn when no inputs and no outputs are defined.
+    # TODO(sissel): Refactor this madness into a config lib
+    if (["inputs", "outputs"] & @config.keys).length == 0
+      $stderr.puts "No inputs or no outputs configured. This probably isn't what you want."
+    end
+    # Register input and output stuff
+    if @config.include?("inputs")
+      inputs = @config["inputs"]
+      inputs.each do |value|
+        # If 'url' is an array, then inputs is a hash and the key is the type
+        if inputs.is_a?(Hash)
+          type, urls = value
+        else
+          raise "config error, no type for url #{urls.inspect}"
+        end
+        # url could be a string or an array.
+        urls = [urls] if !urls.is_a?(Array)
+        urls.each do |url|
+          @logger.debug("Using input #{url} of type #{type}")
+          input = LogStash::Inputs.from_url(url, type) { |event| receive(event) }
+          input.register
+          @inputs << input
+        end
+      end # each input
+    end
+    if @config.include?("filters")
+      filters = @config["filters"]
+      filters.collect { |x| x.to_a[0] }.each do |filter|
+        name, value = filter
+        @logger.debug("Using filter #{name} => #{value.inspect}")
+        filter = LogStash::Filters.from_name(name, value)
+        filter.register
+        @filters << filter
+      end # each filter
+    end
+    if @config.include?("outputs")
+      @config["outputs"].each do |url|
+        @logger.debug("Using output #{url}")
+        output = LogStash::Outputs.from_url(url)
+        output.register
+        @outputs << output
+      end # each output
+    end
+  end # def register
+  public
+  def run
+    EventMachine.run do
+      self.register
+    end # EventMachine.run
+  end # def run
+  protected
+  def filter(event)
+    @filters.each do |f|
+      # TODO(sissel): Add ability for a filter to cancel/drop a message
+      f.filter(event)
+      if event.cancelled?
+        break
+      end
+    end
+  end # def filter
+  protected
+  def output(event)
+    @outputs.each do |o|
+      o.receive(event)
+    end # each output
+  end # def output
+  protected
+  # Process a message
+  def receive(event)
+    filter(event)
+    if !event.cancelled?
+      output(event)
+    end
+  end # def input
+end # class LogStash::Components::Agent

data/lib/logstash/event.rb ADDED Viewed

@@ -0,0 +1,70 @@
+require "json"
+require "logstash/time"
+require "uri"
+# General event type. Will expand this in the future.
+module LogStash; class Event
+  def initialize(data)
+    @cancelled = false
+    @data = {
+      "@source" => "unknown",
+      "@type" => nil,
+      "@tags" => [],
+      "@fields" => {},
+    }.merge(data)
+    if !@data.include?("@timestamp")
+      @data["@timestamp"] = LogStash::Time.now.utc.to_iso8601
+    end
+  end # def initialize
+  def self.from_json(json)
+    return Event.new(JSON.parse(json))
+  end # def self.from_json
+  def cancel
+    @cancelled = true
+  end
+  def cancelled?
+    return @cancelled
+  end
+  def to_s
+    return "#{timestamp} #{source}: #{message}"
+  end # def to_s
+  def timestamp; @data["@timestamp"]; end # def timestamp
+  def timestamp=(val); @data["@timestamp"] = val; end # def timestamp=
+  def source; @data["@source"]; end # def source
+  def source=(val)
+    if val.is_a?(URI)
+      @data["@source"] = val.to_s
+      @data["@source_host"] = val.host
+      @data["@source_path"] = val.path
+    else
+      @data["@source"] = val
+    end
+  end # def source=
+  def message; @data["@message"]; end # def message
+  def message=(val); @data["@message"] = val; end # def message=
+  def type; @data["@type"]; end # def type
+  def type=(val); @data["@type"] = val; end # def type=
+  def tags; @data["@tags"]; end # def tags
+  def tags=(val); @data["@tags"] = val; end # def tags=
+  # field-related access
+  def [](key); @data["@fields"][key] end # def []
+  def []=(key, value); @data["@fields"][key] = value end # def []=
+  def fields; return @data["@fields"] end # def fields
+  def to_json; return @data.to_json end # def to_json
+  def to_hash; return @data end # def to_hash
+  def include?(key); return @data.include?(key) end
+end; end # class LogStash::Event

data/lib/logstash/filters.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require "logstash/namespace"
+module LogStash::Filters
+  def self.from_name(name, *args)
+    # TODO(sissel): Add error handling
+    # TODO(sissel): Allow plugin paths
+    klass = name.capitalize
+    # Load the class if we haven't already.
+    require "logstash/filters/#{name}"
+    # Get the class name from the Filters namespace and create a new instance.
+    # for name == 'foo' this will call LogStash::Filters::Foo.new
+    LogStash::Filters.const_get(klass).new(*args)
+  end # def from_url
+end # module LogStash::Filters

data/lib/logstash/filters/base.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require "logstash/namespace"
+require "logstash/logging"
+class LogStash::Filters::Base
+  def initialize(config = {})
+    @logger = LogStash::Logger.new(STDERR)
+    @config = config
+  end # def initialize
+  def register
+    raise "#{self.class}#register must be overidden"
+  end # def register
+  def filter(event)
+    raise "#{self.class}#filter must be overidden"
+  end # def filter
+end # class LogStash::Filters::Base

data/lib/logstash/filters/date.rb ADDED Viewed

@@ -0,0 +1,59 @@
+require "logstash/filters/base"
+require "logstash/time"
+class LogStash::Filters::Date < LogStash::Filters::Base
+  # The 'date' filter will take a value from your event and use it as the
+  # event timestamp. This is useful for parsing logs generated on remote
+  # servers or for importing old logs.
+  #
+  # The config looks like this:
+  #
+  # filters:
+  #   date:
+  #     <type>:
+  #       <fieldname>: <format>
+  #     <type>
+  #       <fieldname>: <format>
+  #
+  # The format is whatever is supported by Ruby's DateTime.strptime
+  def initialize(config = {})
+    super
+    @types = Hash.new { |h,k| h[k] = [] }
+  end # def initialize
+  def register
+    @config.each do |type, typeconfig|
+      @logger.debug "Setting type #{type.inspect} to the config #{typeconfig.inspect}"
+      raise "date filter type \"#{type}\" defined more than once" unless @types[type].empty?
+      @types[type] = typeconfig
+    end # @config.each
+  end # def register
+  def filter(event)
+    @logger.debug "DATE FILTER: received event of type #{event.type}"
+    return unless @types.member?(event.type)
+    @types[event.type].each do |field, format|
+      @logger.debug "DATE FILTER: type #{event.type}, looking for field #{field.inspect} with format #{format.inspect}"
+      # TODO(sissel): check event.message, too.
+      if event.fields.member?(field)
+        fieldvalue = event.fields[field]
+        fieldvalue = [fieldvalue] if fieldvalue.is_a?(String)
+        fieldvalue.each do |value|
+          begin
+            case format
+              when "ISO8601"
+                time = DateTime.parse(value)
+              else
+                time = DateTime.strptime(value, format)
+            end
+            event.timestamp = LogStash::Time.to_iso8601(time)
+            @logger.debug "Parsed #{value.inspect} as #{event.timestamp}"
+          rescue
+            @logger.warn "Failed parsing date #{value.inspect} from field #{field} with format #{format.inspect}: #{$!}"
+          end
+        end # fieldvalue.each
+      end # if this event has a field we expect to be a timestamp
+    end # @types[event.type].each
+  end # def filter
+end # class LogStash::Filters::Date

data/lib/logstash/filters/field.rb ADDED Viewed

@@ -0,0 +1,29 @@
+require "logstash/filters/base"
+require "ostruct"
+class LogStash::Filters::Field < LogStash::Filters::Base
+  class EvalSpace < OpenStruct
+    def get_binding
+      return binding
+    end
+  end
+  def initialize(config = {})
+    super
+  end # def initialize
+  def register
+    # nothing to do
+  end # def register
+  def filter(event)
+    data = EvalSpace.new(event.to_hash)
+    @config.each do |condition|
+      if data.instance_eval(condition)
+        return # This event is OK, matches the condition.
+      end
+    end
+    event.cancel
+  end
+end # class LogStash::Filters::Field

data/lib/logstash/filters/grok.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require "logstash/filters/base"
+gem "jls-grok", ">=0.2.3071"
+require "grok" # rubygem 'jls-grok'
+class LogStash::Filters::Grok < LogStash::Filters::Base
+  def initialize(config = {})
+    super
+    @grokpiles = {}
+  end # def initialize
+  def register
+    # TODO(sissel): Make patterns files come from the config
+    @config.each do |type, typeconfig|
+      @logger.debug("Registering type with grok: #{type}")
+      pile = Grok::Pile.new
+      patterndir = "#{File.dirname(__FILE__)}/../../../patterns/*"
+      Dir.glob(patterndir).each do |path|
+        pile.add_patterns_from_file(path)
+      end
+      typeconfig["patterns"].each do |pattern|
+        groks = pile.compile(pattern)
+        @logger.debug(["Compiled pattern", pattern, groks[-1].expanded_pattern])
+      end
+      @grokpiles[type] = pile
+    end # @config.each
+  end # def register
+  def filter(event)
+    # parse it with grok
+    message = event.message
+    match = false
+    if event.type
+      if @grokpiles.include?(event.type)
+        @logger.debug(["Running grok filter", event])
+        pile = @grokpiles[event.type]
+        grok, match = pile.match(message)
+      end # @grokpiles.include?(event.type)
+      # TODO(2.0): support grok pattern discovery
+    else
+      @logger.info("Unknown type for #{event.source} (type: #{event.type})")
+      @logger.debug(event.to_hash)
+    end
+    if match
+      match.each_capture do |key, value|
+        if key.include?(":")
+          key = key.split(":")[1]
+        end
+        if event.message == value
+          # Skip patterns that match the entire line
+          @logger.debug("Skipping capture '#{key}' since it matches the whole line.")
+          next
+        end
+        if event.fields[key].is_a?(String)
+          event.fields[key] = [event.fields[key]]
+        elsif event.fields[key] == nil
+          event.fields[key] = []
+        end
+        event.fields[key] << value
+      end
+    else
+      # Tag this event if we can't parse it. We can use this later to
+      # reparse+reindex logs if we improve the patterns given .
+      event.tags << "_grokparsefailure"
+    end
+    @logger.debug(["Event now: ", event.to_hash])
+  end # def filter
+end # class LogStash::Filters::Grok