Add new patterns

[vmesquita]

Hi!

I am trying to add some patterns to match /var/log/maillog fields, following the ideas in the logstash Book (https://logstashbook.com/)

So the author suggest to add the following code to te file /etc/logstash/patterns:

Code: Select all

COMP ([\w._\/%-]+)
COMPPID postfix\/%{COMP:component}(?:\[%{POSINT:pid}\])?
QUEUEID ([A-F0-9]{5,15}{1})
EMAILADDRESSPART [a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILADDRESSPART:local}@%{EMAILADDRESSPART:remote}
POSTFIX %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{COMPPID}: %{QUEUEID:queueid}
POSTFIXQMGR %{POSTFIX}: (?:removed|from=<(?:%{EMAILADDRESS:from})?>(?:, size=%{POSINT:size}, nrcpt=%{POSINT:nrcpt} \(%{GREEDYDATA:queuestatus}\))?)

However the file doesn't exist, not even the folder /etc/logstash. So in Nagios Log Server install, where should I put this file, or how can I add new patterns?

[hsmith]

Check /usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns out.

[vmesquita]

That's exactly what I needed. Thanks.

[mcapra]

Is it alright if we lock this thread and mark the issue as resolved?

[eloyd]

FYI - we got tired of remembering that, and just make a link: /usr/local/patterns -> /usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.1.10/patterns/grok-patterns

[rkennedy]

That works too

@vmesquita - let us know if you have any further questions.

[vmesquita]

Thanks! It's all working, you can close the thread.