From 7265514b4c178fb09f435c321d5beec794ba74e1 Mon Sep 17 00:00:00 2001 From: Eric Fontana Date: Wed, 30 Jul 2014 07:49:05 -0400 Subject: [PATCH] more doc --- Filters.md | 70 ++++++++++++++++++++++++++++++++++----------- mdocs/GrokFilter.md | 28 +++++++++--------- 2 files changed, 68 insertions(+), 30 deletions(-) diff --git a/Filters.md b/Filters.md index b3bf668..d56b31a 100644 --- a/Filters.md +++ b/Filters.md @@ -4,27 +4,63 @@ The following filters are provided. | Filter | Description | :---------------- |:----------------------------------------------------------------------- -| *[grok][4]* |Similar to the [logstash grok][1] filter -| *[date][5]* |Similar to the [logstash date][2] filter -| *[mutate][6]* |Similar to the [logstash mutate][3] filter +| *[grok][4]* |Similar to the [logstash grok][1] filter +| *[date][5]* |Similar to the [logstash date][2] filter +| *[mutate][6]* |Similar to the [logstash mutate][3] filter Example Input: ```json -{ - "TimberWinR": { - "Inputs": { - "WindowsEvents": [ - { - "source": "System,Application", - "binaryFormat": "PRINT", - "resolveSIDS": true - } + "Filters": [ + { + "grok": { + "condition": "[type] == \"Win32-Eventlog\"", + "match": [ + "Message", + "" + ], + "remove_field": [ + "ComputerName" ] - } - } -} + } + }, + { + "grok": { + "match": [ + "message", + "%{SYSLOGLINE}" + ], + "add_field": [ + "Hello", "from %{logsource}" + ] + } + }, + { + "date": { + "condition": "[type] == \"Win32-FileLog\"", + "match": [ + "timestamp", + "MMM d HH:mm:sss", + "MMM dd HH:mm:ss" + ], + "add_field": [ + "UtcTimestamp" + ], + "convertToUTC": true + } + }, + { + "mutate": { + "_comment": "Custom Rules", + "rename": [ + "ComputerName", "Host", + "host", "Host", + "message","Message", + "type","Type", + "SID", "Username" + ] + } + } +] ``` - - [1]: http://logstash.net/docs/1.4.2/filters/grok [2]: http://logstash.net/docs/1.4.2/filters/date [3]: http://logstash.net/docs/1.4.2/filters/mutate diff --git a/mdocs/GrokFilter.md b/mdocs/GrokFilter.md index f30ada1..f61a5d0 100644 --- a/mdocs/GrokFilter.md +++ b/mdocs/GrokFilter.md @@ -21,7 +21,7 @@ For the above example, your grok filter would look something like this: %{NUMBER:duration} %{IP:client} -## Mutate Operations +## Grok Operations The following operations are allowed when mutating a field. | Operation | Type | Description @@ -46,13 +46,7 @@ The pattern for this could be: ``` %{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration} ``` -And if the message matches, then 5 fields would be added to the event: - 1. client=55.3.244.1 - 2. method=GET - 3. request=/index.html - 4. bytes=15824 - 5. duration=0.043 - +Given this configuration ```json "Filters": [ { @@ -61,18 +55,26 @@ And if the message matches, then 5 fields would be added to the event: "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ], - "add_tag": [ - "rn_%{Index}", - "bar" + "add_tag": [ + "http_log" ], "add_field": [ - "foo_%{logsource}", - "Hello dude from %{ComputerName}" + "verb", "%{method}" ] } } ] ``` +And if the message matches, then 6 fields would be added to the event: + 1. client=55.3.244.1 + 2. method=GET + 3. request=/index.html + 4. bytes=15824 + 5. duration=0.043 + 6. verb=GET + +And the following tag will be added + 1. tag: { "http_log" } ### condition "C# expression" If present, the condition must evaluate to true in order for the remaining operations to be performed. If there is no condition specified