Comments (14)
By the way, in my case it's 10+gb of logs per day per server, so that makes up some cpu/traffic
from log-courier.
Dropping useless lines by applying pre-filters on the node rather than on the indexer (logstash) seems logical for me too.
Could be configured this way:
/etc/log-courier/conf.d/smtp.conf
[ {
"paths": [ "/var/log/smtp.log" ],
"fields": [ "type": "smtp_log" ],
"filters": ["^(.*connect from.*)$", "^(.*status=sent.*)$"]
} ]
Thus, applying pre-filters to grab only the following lines in a specified log file:
Jul 29 06:25:03 smtp1 postfix/smtpd[3533]: connect from unknown[x.x.x.x]
Jul 29 06:25:03 smtp1 postfix/smtp[3641]: ABCQUEUEID: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10037, conn_use=72, delay=0.14, delays=0.04/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as SECONDQID)
from log-courier.
I'd also like to have a negate option in that filter :)
from log-courier.
This would be best implemented as a codec like the multiline one. It can receive events and throw out ones that don't match. That sound ok?
from log-courier.
sounds perfect to me!
from log-courier.
I've pushed a filter codec if you'd like to give it a try before we close the request? :)
from log-courier.
Hey @driskell, I'm currently on vacation for the week. I'll give it a try next week!
from log-courier.
I'll try to run it on my servers today. By the way, is there an option to use multiple filters (both filter AND multiline in example) ?
from log-courier.
No, sorry. It's going to be a fair bit more work to chain codecs together and then the purpose becomes grey as they stop being codecs and become filters. The existence of this filter codec is already odd terminology wise but I feel its a justified feature to prevent excessive shipping where its not wanted.
Now I think about it, maybe a codec is the wrong implementation here. Maybe we should be simply adding "filter" as a property of the existing codecs (plain and multiline) - this solves terminology problem and fixes the "entering grey area". And then it becomes usable for multiline. If we had other codecs for none "line" data (like JSON) we'd just leave the option out on it.
What do you think?
from log-courier.
Makes sense to me, although i don't think there's a need to change the naming - codec is fine, just say that only one codec is possible at a time.
Now as for the filter codec itself - i fail to get it working at all...
My setup:
[
{
"paths": [ "/tmp/test.log" ],
"fields": { "type": "testlog" },
"codec": {
"name": "filter",
"patterns": [
".*statistics.*",
"^(.*DKIM signing.*)$"
],
"negate": true
}
}
]
Test data:
Aug 13 11:46:07 smtp1 postfix/smtpd[24787]: statistics: testing
Aug 13 11:46:07 smtp1 dkimproxy.out[18974]: DKIM signing - signed; message-id=<[email protected]>, signer=<[email protected]>, from=<[email protected]>
Aug 13 11:46:07 smtp1 postfix/smtpd[24787]: connect from unknown[1.1.1.1]
Aug 13 11:46:07 smtp1 postfix/smtpd[24787]: C64D26E0D72: client=unknown[1.1.1.1]
I see all 4 lines going to logstash/elasticsearch ( i don't want the DKIM signing and statistics line ). I tried using ".statistics.", "^.statistics.$", "statistics" and other similar regexps - they all still get through.
from log-courier.
Ah yes. The negate applies to each pattern separately, not as a whole.
So its going "does it NOT match statistics?" if it does match it moves to next pattern, which goes "does it NOT match DKIN signing?" so essentially all lines will match :)
I'll adjust it later so the negate applies to the result. So instead it goes "does it match statistics?" if it doesn't, next pattern. Once finished, did it match any pattern? Then take negate into account.
Sorry for the confusion :)
from log-courier.
I will leave things as they are once I change the negate behaviour and docs.
If there is a future demand for filtering AND multiline combined, I can remove the filter codec and instead make "filter_pattern" an option embedded in the plain codec and the multiline codec, so the filtering is part of the existing codecs as opposed to separate.
from log-courier.
OK so negate behaviour is now as one expects. If you just have patterns, it only ships if it matches at least one of the patterns. If you then add negate, it only ships if it matches none of the patterns.
from log-courier.
I will assume this functionality is working successfully! Thanks.
from log-courier.
Related Issues (20)
- Duplicates observed when log-courier configuration file is overwritten HOT 3
- Undocumented behavior for paths matched by multiple fileglobs HOT 1
- log-courier can't seem to handle `~` for home in certain contexts. HOT 2
- error in logstash 7 HOT 4
- log-courier and logstash > 7.4.0? HOT 10
- Throughput question HOT 15
- does the includes configuration still work correctly? HOT 3
- Hold time setting not closing files properly
- syslog "progname" uses a full path rather than a basename HOT 1
- Information about payloads / different debug level ? HOT 3
- error while compiling code in the command line using MK in windows for Z wave HOT 1
- version.rb missing from the plugin package
- log-courier admin socket stuck HOT 2
- lc-admin does not default to tcp transport HOT 2
- order of files in lc-admin UI
- Logstash configuration auto reload is blocked by log-courier input HOT 2
- PPA packaging is using deprecated compatibility level 9 HOT 1
- 2.10.0 packages missing from PPA (Ubuntu)
- Receiver reload can cause panic
- TCP streaming receiver aborts if too many events received
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from log-courier.