From 9ff9e35c12a3bedc0c1cc1c69470034a3c32344d Mon Sep 17 00:00:00 2001 From: Joe Talerico Date: Mon, 30 Apr 2018 13:36:53 -0400 Subject: [PATCH] Logging work Right now Rsyslog->ES will log like: logstash-YYYY.MM.DD.HH This creates a ton of indexes making search much harder. This commit removes the .HH so we have: logstash-YYYY.MM.DD This also patches the template to work with ES5 Change-Id: Iaef70f51601da504b769165e8593603adc484225 --- .../templates/02-templates.conf.j2 | 2 - elastic/templates/browbeat-logstash-.json | 73 ++++++++++++------- 2 files changed, 48 insertions(+), 27 deletions(-) diff --git a/ansible/install/roles/rsyslog-templates/templates/02-templates.conf.j2 b/ansible/install/roles/rsyslog-templates/templates/02-templates.conf.j2 index 564a933bd..53c1b108a 100644 --- a/ansible/install/roles/rsyslog-templates/templates/02-templates.conf.j2 +++ b/ansible/install/roles/rsyslog-templates/templates/02-templates.conf.j2 @@ -27,8 +27,6 @@ template(name="logstash-index-pattern" type="list") { property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7") constant(value=".") property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10") - constant(value=".") - property(name="timereported" dateFormat="rfc3339" position.from="12" position.to="13") } # this is for formatting our syslog data in JSON with @timestamp using a "hierarchical" metdata namespace template(name="com-redhat-rsyslog-hier" diff --git a/elastic/templates/browbeat-logstash-.json b/elastic/templates/browbeat-logstash-.json index 09de9a746..0c9a2956c 100644 --- a/elastic/templates/browbeat-logstash-.json +++ b/elastic/templates/browbeat-logstash-.json @@ -1,34 +1,57 @@ { - template: "browbeat-logstash-*", - mappings: { - result: { - properties: { - action: { - index: "not_analyzed", - type: "string" - }, - browbeat_cloud_name: { - index: "not_analyzed", - type: "string" - }, - message: { - properties: { - openstack-general-system-performance: { - index: "not_analyzed", - type: "string" + "template": "logstash-*", + "settings": { + "index": { + "number_of_shards": "5", + "number_of_replicas": "0", + "mapping": { + "total_fields": { + "limit": "5000" + } + } + } + }, + "mappings": { + "result": { + "properties": { + "CEE": { + "properties": { + "failed": { + "index": "not_analyzed", + "type": "string" + }, + "suspended": { + "index": "not_analyzed", + "type": "string" } } }, - level: { - type: "string" + "action": { + "index": "not_analyzed", + "type": "string" }, - hostname: { - index: "not_analyzed", - type: "string" + "browbeat_cloud_name": { + "index": "not_analyzed", + "type": "string" }, - timestamp: { - type: "date", - format: "strict_date_optional_time||epoch_millis" + "message": { + "properties": { + "openstack-general-system-performance": { + "index": "not_analyzed", + "type": "string" + } + } + }, + "level": { + "type": "string" + }, + "hostname": { + "index": "not_analyzed", + "type": "string" + }, + "timestamp": { + "type": "date", + "format": "strict_date_optional_time||epoch_millis" } } }