From f7bcc4bfa6250fa07c4a8b268fbf9d1efb7928db Mon Sep 17 00:00:00 2001 From: Eric Fontana Date: Thu, 31 Jul 2014 08:20:18 -0400 Subject: [PATCH] Doc tweaks --- README.md | 39 ++++++++++++++++++++++++++---- TimberWinR.ServiceHost/config.json | 26 ++++++++++---------- 2 files changed, 47 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index a35dc7b..8e58a01 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ TimberWinR A Native Windows to Redis Logstash Agent which runs as a service. ## Why have TimberWinR? TimberWinR is a native .NET implementation utilizing Microsoft's [LogParser](http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx). This means -no JVM/JRuby is required, and LogParser does all the heavy lifting. TimberWinR collects +no JVM/JRuby is required, and LogParser does all the heavy lifting. TimberWinR collects the data from LogParser and ships it to Logstash via Redis. ## Basics @@ -18,7 +18,7 @@ The current supported Input format sources are: 1. [Logs](https://github.com/efontana/TimberWinR/blob/master/TimberWinR/mdocs/Logs.md) (Files, a.k.a Tailing a file) 2. [Tcp](https://github.com/efontana/TimberWinR/blob/master/TimberWinR/mdocs/TcpInput.md) (listens on a port for JSON messages) 3. [IISW3C](https://github.com/efontana/TimberWinR/blob/master/TimberWinR/mdocs/IISW3CInput.md)(Internet Information Services W3C Format) - 4. [WindowsEvents](https://github.com/efontana/TimberWinR/blob/master/TimberWinR/mdocs/WindowsEvents.md) + 4. [WindowsEvents](https://github.com/efontana/TimberWinR/blob/master/TimberWinR/mdocs/WindowsEvents.md) (Windows Event Viewer) ## Filters The current list of supported filters are: @@ -47,19 +47,48 @@ TimberWinR reads a JSON configuration file, an example file is shown here: } ] }, + "Filters": [ + { + "grok": { + "condition": "[type] == \"Win32-Eventlog\"", + "match": [ + "Message", + "" + ], + "remove_field": [ + "ComputerName" + ] + } + } + ], "Outputs": { "Redis": [ { + "_comment": "Shuffle these hosts", "host": [ - "server1.host.com" + "server1.host.com", + "server2.host.com" ] } ] } } ``` -This configuration collects Events from the Windows Event Logs (System, Application) and forwards them -to Redis. +This configuration: + 1. Inputs: Events from the Windows Event Logs (System, Application) + 2. Filters: Removes the ComputerName field + 3. Sends the event to Redis services (server1.host.com, server2.host.com) in a shuffling manner (balanced). + +## Installation +You must first install LogParser, then install TimberWinR. Install LogParser from here: + +[Install LogParser](http://www.microsoft.com/en-us/download/details.aspx?id=24659) from Microsoft. + +After installing, follow the remaining directions here. +## Running Interactively +``` +TimberWinR.ServiceHost.exe -configFile:myconfig.json -logLevel:Debug +``` ## Installation as a Windows Service TimberWinR uses [TopShelf](http://topshelf-project.com/) to install as a service, so all the documentation diff --git a/TimberWinR.ServiceHost/config.json b/TimberWinR.ServiceHost/config.json index 90f975c..ed19c09 100644 --- a/TimberWinR.ServiceHost/config.json +++ b/TimberWinR.ServiceHost/config.json @@ -15,18 +15,6 @@ } ] }, - "Outputs": { - "Redis": [ - { - "threads": 1, - "interval": 5000, - "batch_count": 500, - "host": [ - "tstlexiceapp006.vistaprint.svc" - ] - } - ] - }, "Filters": [ { "grok": { @@ -92,6 +80,18 @@ ] } } - ] + ], + "Outputs": { + "Redis": [ + { + "threads": 1, + "interval": 5000, + "batch_count": 500, + "host": [ + "tstlexiceapp006.vistaprint.svc" + ] + } + ] + } } }