From 9e1dd3b7e1a5fd60c00bff70eb06d6fa7f03d7c5 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 3 May 2017 10:42:42 -0700 Subject: [PATCH] Handle the new journald based logs These logs have slightly more information. Also they have syslog timestamps not iso8601 timestamps. Change-Id: I7eaa35b3259d17f7e1f5f69e5acf41bddec685f7 --- filters/openstack-filters.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/filters/openstack-filters.conf b/filters/openstack-filters.conf index 39d6c09..4b9b3cd 100644 --- a/filters/openstack-filters.conf +++ b/filters/openstack-filters.conf @@ -22,7 +22,7 @@ filter { } else if "oslofmt" in [tags] { multiline { negate => true - pattern => "^%{TIMESTAMP_ISO8601} " + pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) " what => "previous" stream_identity => "%{host}.%{filename}" } @@ -35,7 +35,7 @@ filter { # NUMBER being required element here is important, otherwise # ERROR messages just fold into the previous messages, which are # typically INFO. - pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)" + pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)" what => "previous" stream_identity => "%{host}.%{filename}" } @@ -43,7 +43,7 @@ filter { # Do multiline matching as the above mutliline filter may add newlines # to the log messages. # TODO move the LOGLEVELs into a proper grok pattern. - match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" } + match => { "message" => "(?m)^(%{TIMESTAMP_ISO8601:logdate}|%{SYSLOGTIMESTAMP:logdate})%{SPACE}(%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:|%{NUMBER:pid})?%{SPACE}?(?AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" } add_field => { "received_at" => "%{@timestamp}" } } } else if "apachecombined" in [tags] {