RubyGems - logstash-lite - Versions diffs - 0.2.20101118134500 - Mend

logstash-lite 0.2.20101118134500

Files changed (134) hide show

data/bin/logstash +56 -0
data/bin/logstash-web +6 -0
data/etc/logstash-elasticsearch-rabbitmq-river.yaml +41 -0
data/etc/logstash-mongodb-storage.yaml +5 -0
data/etc/logstash-parser.yaml +20 -0
data/etc/logstash-reader.yaml +8 -0
data/etc/logstash-shipper.yaml +18 -0
data/etc/logstash-standalone.yaml +47 -0
data/etc/prod.yaml +38 -0
data/etc/redhat/logstash +92 -0
data/etc/redhat/logstash-agent +83 -0
data/etc/redhat/logstash-agent.sysconfig +7 -0
data/etc/redhat/logstash.spec +171 -0
data/etc/redhat/logstash.sysconfig +18 -0
data/etc/tograylog.yaml +37 -0
data/examples/test.rb +38 -0
data/lib/logstash.rb +3 -0
data/lib/logstash/agent.rb +116 -0
data/lib/logstash/event.rb +70 -0
data/lib/logstash/filters.rb +17 -0
data/lib/logstash/filters/base.rb +17 -0
data/lib/logstash/filters/date.rb +59 -0
data/lib/logstash/filters/field.rb +29 -0
data/lib/logstash/filters/grok.rb +74 -0
data/lib/logstash/filters/grokdiscovery.rb +60 -0
data/lib/logstash/inputs.rb +18 -0
data/lib/logstash/inputs/amqp.rb +48 -0
data/lib/logstash/inputs/base.rb +32 -0
data/lib/logstash/inputs/file.rb +47 -0
data/lib/logstash/inputs/syslog.rb +123 -0
data/lib/logstash/inputs/tcp.rb +51 -0
data/lib/logstash/logging.rb +82 -0
data/lib/logstash/namespace.rb +6 -0
data/lib/logstash/outputs.rb +15 -0
data/lib/logstash/outputs/amqp.rb +48 -0
data/lib/logstash/outputs/base.rb +29 -0
data/lib/logstash/outputs/elasticsearch.rb +71 -0
data/lib/logstash/outputs/gelf.rb +35 -0
data/lib/logstash/outputs/mongodb.rb +19 -0
data/lib/logstash/outputs/stdout.rb +15 -0
data/lib/logstash/outputs/websocket.rb +35 -0
data/lib/logstash/time.rb +27 -0
data/lib/logstash/web/lib/elasticsearch.rb +79 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
data/lib/logstash/web/public/css/smoothness/jquery-ui-1.8.5.custom.css +572 -0
data/lib/logstash/web/public/js/flot/API.txt +1024 -0
data/lib/logstash/web/public/js/flot/FAQ.txt +71 -0
data/lib/logstash/web/public/js/flot/LICENSE.txt +22 -0
data/lib/logstash/web/public/js/flot/Makefile +15 -0
data/lib/logstash/web/public/js/flot/NEWS.txt +340 -0
data/lib/logstash/web/public/js/flot/PLUGINS.txt +105 -0
data/lib/logstash/web/public/js/flot/README.txt +81 -0
data/lib/logstash/web/public/js/flot/examples/ajax.html +143 -0
data/lib/logstash/web/public/js/flot/examples/annotating.html +75 -0
data/lib/logstash/web/public/js/flot/examples/arrow-down.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-left.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-right.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/arrow-up.gif +0 -0
data/lib/logstash/web/public/js/flot/examples/basic.html +38 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-1.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-2.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-3.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-4.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth-5.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-eu-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-japan-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/data-usa-gdp-growth.json +4 -0
data/lib/logstash/web/public/js/flot/examples/dual-axis.html +39 -0
data/lib/logstash/web/public/js/flot/examples/graph-types.html +75 -0
data/lib/logstash/web/public/js/flot/examples/hs-2004-27-a-large_web.jpg +0 -0
data/lib/logstash/web/public/js/flot/examples/image.html +45 -0
data/lib/logstash/web/public/js/flot/examples/index.html +43 -0
data/lib/logstash/web/public/js/flot/examples/interacting.html +93 -0
data/lib/logstash/web/public/js/flot/examples/layout.css +6 -0
data/lib/logstash/web/public/js/flot/examples/navigate.html +118 -0
data/lib/logstash/web/public/js/flot/examples/selection.html +114 -0
data/lib/logstash/web/public/js/flot/examples/setting-options.html +65 -0
data/lib/logstash/web/public/js/flot/examples/stacking.html +77 -0
data/lib/logstash/web/public/js/flot/examples/thresholding.html +54 -0
data/lib/logstash/web/public/js/flot/examples/time.html +71 -0
data/lib/logstash/web/public/js/flot/examples/tracking.html +95 -0
data/lib/logstash/web/public/js/flot/examples/turning-series.html +98 -0
data/lib/logstash/web/public/js/flot/examples/visitors.html +90 -0
data/lib/logstash/web/public/js/flot/examples/zooming.html +98 -0
data/lib/logstash/web/public/js/flot/excanvas.js +1427 -0
data/lib/logstash/web/public/js/flot/excanvas.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.colorhelpers.js +174 -0
data/lib/logstash/web/public/js/flot/jquery.colorhelpers.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.crosshair.js +156 -0
data/lib/logstash/web/public/js/flot/jquery.flot.crosshair.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.image.js +237 -0
data/lib/logstash/web/public/js/flot/jquery.flot.image.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.js +2119 -0
data/lib/logstash/web/public/js/flot/jquery.flot.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.navigate.js +272 -0
data/lib/logstash/web/public/js/flot/jquery.flot.navigate.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.selection.js +299 -0
data/lib/logstash/web/public/js/flot/jquery.flot.selection.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.stack.js +152 -0
data/lib/logstash/web/public/js/flot/jquery.flot.stack.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.flot.threshold.js +103 -0
data/lib/logstash/web/public/js/flot/jquery.flot.threshold.min.js +1 -0
data/lib/logstash/web/public/js/flot/jquery.js +4376 -0
data/lib/logstash/web/public/js/flot/jquery.min.js +19 -0
data/lib/logstash/web/public/js/jquery-hashchange-1.0.0.js +121 -0
data/lib/logstash/web/public/js/jquery.livequery.js +250 -0
data/lib/logstash/web/public/js/jquery.tmpl.min.js +1 -0
data/lib/logstash/web/public/js/logstash.js +202 -0
data/lib/logstash/web/server.rb +90 -0
data/lib/logstash/web/views/header.haml +8 -0
data/lib/logstash/web/views/layout.haml +21 -0
data/lib/logstash/web/views/main/index.haml +5 -0
data/lib/logstash/web/views/search/ajax.haml +32 -0
data/lib/logstash/web/views/search/results.haml +17 -0
data/lib/logstash/web/views/style.sass +50 -0
data/patterns/firewalls +2 -0
data/patterns/grok-patterns +90 -0
data/patterns/haproxy +5 -0
data/patterns/linux-syslog +7 -0
data/patterns/nagios +7 -0
data/patterns/ruby +2 -0
metadata +228 -0

data/etc/redhat/logstash.sysconfig ADDED Viewed

@@ -0,0 +1,18 @@
+# LogStash configuration
+# Run the indexer. This can be set to false to disable the indexer (and
+# searching) and only parse log lines.
+INDEXER=true
+# Run one parser. For maximum throughput, run one parser per core.
+# This can be set to 0 to disable the parser.
+PARSERS=1
+# Path to config file
+CONFIG=/opt/logstash/etc/logstashd.yaml
+# Set to true for very verbose debugging output
+DEBUG=false
+# Run as the logstash user
+USER=logstash

data/etc/tograylog.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+---
+inputs:
+  linux-syslog:
+  - /var/log/messages
+  - /var/log/kern.log
+  - /var/log/auth.log
+  - /var/log/user.log
+  apache-access:
+  - /var/log/apache2/access.log
+  - /home/jls/logs/access_log
+  apache-error:
+  - /var/log/apache2/error.log
+  - /home/jls/logs/error_log
+filters:
+- grok:
+    linux-syslog: # for logs of type 'linux-syslog'
+      patterns:
+      - %{SYSLOGLINE}
+    apache-access: # for logs of type 'apache-error'
+      patterns:
+      - %{COMBINEDAPACHELOG}
+    nagios:
+      patterns:
+      - %{NAGIOSLOGLINE}
+- date:
+    linux-syslog:  # for logs of type 'linux-syslog'
+      # Look for a field 'timestamp' with this format, parse and it for the timestamp
+      # This field comes from the SYSLOGLINE pattern
+      timestamp: "%b %e %H:%M:%S"
+      timestamp8601: ISO8601
+    apache-access:
+      timestamp: "%d/%b/%Y:%H:%M:%S %Z"
+    nagios:
+      epochtime: %s
+outputs:
+- stdout:///
+- gelf://localhost/

data/examples/test.rb ADDED Viewed

@@ -0,0 +1,38 @@
+#!/usr/bin/env ruby
+#
+# How to trigger the 'evil ip' message:
+# % logger -t "pantscon" "naughty host 14.33.24.55 $RANDOM"
+require "rubygems"
+require "logstash/agent"
+class MyAgent < LogStash::Agent
+  def receive(event)
+    filter(event)  # Invoke any filters
+    return unless event["progname"][0] == "pantscon"
+    return unless event.message =~ /naughty host/
+    event["IP"].each do |ip|
+      next unless ip.length > 0
+      puts "Evil IP: #{ip}"
+    end
+  end # def receive
+end # class MyAgent
+# Read a local file, parse it, and react accordingly (see MyAgent#receive)
+agent = MyAgent.new({
+  "input" => [
+    "/var/log/messages",
+  ],
+  "filter" => [ "grok" ],
+})
+agent.run
+# Read messages that we expect to be parsed by another agent. Reads
+# a particular AMQP topic for messages
+#agent = MyAgent.new({
+  #"input" => [
+    #"amqp://localhost/topic/parsed",
+  #]
+#})
+#agent.run

data/lib/logstash.rb ADDED Viewed

@@ -0,0 +1,3 @@
+require "logstash/namespace"
+require "logstash/agent"
+require "logstash/event"

data/lib/logstash/agent.rb ADDED Viewed

@@ -0,0 +1,116 @@
+require "eventmachine"
+require "eventmachine-tail"
+require "logstash/namespace"
+require "logstash/inputs"
+require "logstash/outputs"
+require "logstash/filters"
+require "logstash/logging"
+# Collect logs, ship them out.
+class LogStash::Agent
+  attr_reader :config
+  def initialize(config)
+    @logger = LogStash::Logger.new(STDERR)
+    @config = config
+    @outputs = []
+    @inputs = []
+    @filters = []
+    # Config should have:
+    # - list of logs to monitor
+    #   - log config
+    # - where to ship to
+  end # def initialize
+  # Register any event handlers with EventMachine
+  # Technically, this agent could listen for anything (files, sockets, amqp,
+  # stomp, etc).
+  protected
+  def register
+    # TODO(sissel): warn when no inputs and no outputs are defined.
+    # TODO(sissel): Refactor this madness into a config lib
+    if (["inputs", "outputs"] & @config.keys).length == 0
+      $stderr.puts "No inputs or no outputs configured. This probably isn't what you want."
+    end
+    # Register input and output stuff
+    if @config.include?("inputs")
+      inputs = @config["inputs"]
+      inputs.each do |value|
+        # If 'url' is an array, then inputs is a hash and the key is the type
+        if inputs.is_a?(Hash)
+          type, urls = value
+        else
+          raise "config error, no type for url #{urls.inspect}"
+        end
+        # url could be a string or an array.
+        urls = [urls] if !urls.is_a?(Array)
+        urls.each do |url|
+          @logger.debug("Using input #{url} of type #{type}")
+          input = LogStash::Inputs.from_url(url, type) { |event| receive(event) }
+          input.register
+          @inputs << input
+        end
+      end # each input
+    end
+    if @config.include?("filters")
+      filters = @config["filters"]
+      filters.collect { |x| x.to_a[0] }.each do |filter|
+        name, value = filter
+        @logger.debug("Using filter #{name} => #{value.inspect}")
+        filter = LogStash::Filters.from_name(name, value)
+        filter.register
+        @filters << filter
+      end # each filter
+    end
+    if @config.include?("outputs")
+      @config["outputs"].each do |url|
+        @logger.debug("Using output #{url}")
+        output = LogStash::Outputs.from_url(url)
+        output.register
+        @outputs << output
+      end # each output
+    end
+  end # def register
+  public
+  def run
+    EventMachine.run do
+      self.register
+    end # EventMachine.run
+  end # def run
+  protected
+  def filter(event)
+    @filters.each do |f|
+      # TODO(sissel): Add ability for a filter to cancel/drop a message
+      f.filter(event)
+      if event.cancelled?
+        break
+      end
+    end
+  end # def filter
+  protected
+  def output(event)
+    @outputs.each do |o|
+      o.receive(event)
+    end # each output
+  end # def output
+  protected
+  # Process a message
+  def receive(event)
+    filter(event)
+    if !event.cancelled?
+      output(event)
+    end
+  end # def input
+end # class LogStash::Components::Agent

data/lib/logstash/event.rb ADDED Viewed

@@ -0,0 +1,70 @@
+require "json"
+require "logstash/time"
+require "uri"
+# General event type. Will expand this in the future.
+module LogStash; class Event
+  def initialize(data)
+    @cancelled = false
+    @data = {
+      "@source" => "unknown",
+      "@type" => nil,
+      "@tags" => [],
+      "@fields" => {},
+    }.merge(data)
+    if !@data.include?("@timestamp")
+      @data["@timestamp"] = LogStash::Time.now.utc.to_iso8601
+    end
+  end # def initialize
+  def self.from_json(json)
+    return Event.new(JSON.parse(json))
+  end # def self.from_json
+  def cancel
+    @cancelled = true
+  end
+  def cancelled?
+    return @cancelled
+  end
+  def to_s
+    return "#{timestamp} #{source}: #{message}"
+  end # def to_s
+  def timestamp; @data["@timestamp"]; end # def timestamp
+  def timestamp=(val); @data["@timestamp"] = val; end # def timestamp=
+  def source; @data["@source"]; end # def source
+  def source=(val)
+    if val.is_a?(URI)
+      @data["@source"] = val.to_s
+      @data["@source_host"] = val.host
+      @data["@source_path"] = val.path
+    else
+      @data["@source"] = val
+    end
+  end # def source=
+  def message; @data["@message"]; end # def message
+  def message=(val); @data["@message"] = val; end # def message=
+  def type; @data["@type"]; end # def type
+  def type=(val); @data["@type"] = val; end # def type=
+  def tags; @data["@tags"]; end # def tags
+  def tags=(val); @data["@tags"] = val; end # def tags=
+  # field-related access
+  def [](key); @data["@fields"][key] end # def []
+  def []=(key, value); @data["@fields"][key] = value end # def []=
+  def fields; return @data["@fields"] end # def fields
+  def to_json; return @data.to_json end # def to_json
+  def to_hash; return @data end # def to_hash
+  def include?(key); return @data.include?(key) end
+end; end # class LogStash::Event

data/lib/logstash/filters.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require "logstash/namespace"
+module LogStash::Filters
+  def self.from_name(name, *args)
+    # TODO(sissel): Add error handling
+    # TODO(sissel): Allow plugin paths
+    klass = name.capitalize
+    # Load the class if we haven't already.
+    require "logstash/filters/#{name}"
+    # Get the class name from the Filters namespace and create a new instance.
+    # for name == 'foo' this will call LogStash::Filters::Foo.new
+    LogStash::Filters.const_get(klass).new(*args)
+  end # def from_url
+end # module LogStash::Filters

data/lib/logstash/filters/base.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require "logstash/namespace"
+require "logstash/logging"
+class LogStash::Filters::Base
+  def initialize(config = {})
+    @logger = LogStash::Logger.new(STDERR)
+    @config = config
+  end # def initialize
+  def register
+    raise "#{self.class}#register must be overidden"
+  end # def register
+  def filter(event)
+    raise "#{self.class}#filter must be overidden"
+  end # def filter
+end # class LogStash::Filters::Base

data/lib/logstash/filters/date.rb ADDED Viewed

@@ -0,0 +1,59 @@
+require "logstash/filters/base"
+require "logstash/time"
+class LogStash::Filters::Date < LogStash::Filters::Base
+  # The 'date' filter will take a value from your event and use it as the
+  # event timestamp. This is useful for parsing logs generated on remote
+  # servers or for importing old logs.
+  #
+  # The config looks like this:
+  #
+  # filters:
+  #   date:
+  #     <type>:
+  #       <fieldname>: <format>
+  #     <type>
+  #       <fieldname>: <format>
+  #
+  # The format is whatever is supported by Ruby's DateTime.strptime
+  def initialize(config = {})
+    super
+    @types = Hash.new { |h,k| h[k] = [] }
+  end # def initialize
+  def register
+    @config.each do |type, typeconfig|
+      @logger.debug "Setting type #{type.inspect} to the config #{typeconfig.inspect}"
+      raise "date filter type \"#{type}\" defined more than once" unless @types[type].empty?
+      @types[type] = typeconfig
+    end # @config.each
+  end # def register
+  def filter(event)
+    @logger.debug "DATE FILTER: received event of type #{event.type}"
+    return unless @types.member?(event.type)
+    @types[event.type].each do |field, format|
+      @logger.debug "DATE FILTER: type #{event.type}, looking for field #{field.inspect} with format #{format.inspect}"
+      # TODO(sissel): check event.message, too.
+      if event.fields.member?(field)
+        fieldvalue = event.fields[field]
+        fieldvalue = [fieldvalue] if fieldvalue.is_a?(String)
+        fieldvalue.each do |value|
+          begin
+            case format
+              when "ISO8601"
+                time = DateTime.parse(value)
+              else
+                time = DateTime.strptime(value, format)
+            end
+            event.timestamp = LogStash::Time.to_iso8601(time)
+            @logger.debug "Parsed #{value.inspect} as #{event.timestamp}"
+          rescue
+            @logger.warn "Failed parsing date #{value.inspect} from field #{field} with format #{format.inspect}: #{$!}"
+          end
+        end # fieldvalue.each
+      end # if this event has a field we expect to be a timestamp
+    end # @types[event.type].each
+  end # def filter
+end # class LogStash::Filters::Date

data/lib/logstash/filters/field.rb ADDED Viewed

@@ -0,0 +1,29 @@
+require "logstash/filters/base"
+require "ostruct"
+class LogStash::Filters::Field < LogStash::Filters::Base
+  class EvalSpace < OpenStruct
+    def get_binding
+      return binding
+    end
+  end
+  def initialize(config = {})
+    super
+  end # def initialize
+  def register
+    # nothing to do
+  end # def register
+  def filter(event)
+    data = EvalSpace.new(event.to_hash)
+    @config.each do |condition|
+      if data.instance_eval(condition)
+        return # This event is OK, matches the condition.
+      end
+    end
+    event.cancel
+  end
+end # class LogStash::Filters::Field

data/lib/logstash/filters/grok.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require "logstash/filters/base"
+gem "jls-grok", ">=0.2.3071"
+require "grok" # rubygem 'jls-grok'
+class LogStash::Filters::Grok < LogStash::Filters::Base
+  def initialize(config = {})
+    super
+    @grokpiles = {}
+  end # def initialize
+  def register
+    # TODO(sissel): Make patterns files come from the config
+    @config.each do |type, typeconfig|
+      @logger.debug("Registering type with grok: #{type}")
+      pile = Grok::Pile.new
+      patterndir = "#{File.dirname(__FILE__)}/../../../patterns/*"
+      Dir.glob(patterndir).each do |path|
+        pile.add_patterns_from_file(path)
+      end
+      typeconfig["patterns"].each do |pattern|
+        groks = pile.compile(pattern)
+        @logger.debug(["Compiled pattern", pattern, groks[-1].expanded_pattern])
+      end
+      @grokpiles[type] = pile
+    end # @config.each
+  end # def register
+  def filter(event)
+    # parse it with grok
+    message = event.message
+    match = false
+    if event.type
+      if @grokpiles.include?(event.type)
+        @logger.debug(["Running grok filter", event])
+        pile = @grokpiles[event.type]
+        grok, match = pile.match(message)
+      end # @grokpiles.include?(event.type)
+      # TODO(2.0): support grok pattern discovery
+    else
+      @logger.info("Unknown type for #{event.source} (type: #{event.type})")
+      @logger.debug(event.to_hash)
+    end
+    if match
+      match.each_capture do |key, value|
+        if key.include?(":")
+          key = key.split(":")[1]
+        end
+        if event.message == value
+          # Skip patterns that match the entire line
+          @logger.debug("Skipping capture '#{key}' since it matches the whole line.")
+          next
+        end
+        if event.fields[key].is_a?(String)
+          event.fields[key] = [event.fields[key]]
+        elsif event.fields[key] == nil
+          event.fields[key] = []
+        end
+        event.fields[key] << value
+      end
+    else
+      # Tag this event if we can't parse it. We can use this later to
+      # reparse+reindex logs if we improve the patterns given .
+      event.tags << "_grokparsefailure"
+    end
+    @logger.debug(["Event now: ", event.to_hash])
+  end # def filter
+end # class LogStash::Filters::Grok