My task is to send email notifications if cron writes an error in /var/log/cron.log.
My logstash-forwarder.conf:
{
"network": {
"servers": [ "myserver.domain.com:5000" ],
"timeout": 15,
"ssl key": "/etc/logstash/logstash.key",
"ssl certificate": "/etc/logstash/logstash.crt",
"ssl ca": "/etc/logstash/ca.crt"
},
"files": [
{
"paths": [
"/var/log/syslog"
],
"fields": { "type": "syslog" }
},
{
"paths": [
"/var/log/cron.log"
],
"fields": { "type": "cron" }
}
]
}
logstash-input.conf:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/ssl/private/logstash.crt"
ssl_key => "/etc/ssl/private/logstash.key"
}
}
logstash-filter.log:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
filter {
if [message] == "CRON" and [message] == "error" {
throttle {
key => "%{message}"
add_tag => "catched"
}
}
}
logstash-output.conf:
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
if "catched" in [tags] {
email {
from => "logstash@someserver.com"
to => "user@someserver.com"
subject => "Alert from %{path}, from %{host}"
body => "Message is: \n'%{message}'. \nLog file:\n %{path}:\n\n%{message}.\n More information can be viewed in Kibana"
}
}
}
Now all events are mailed to me. How can i get only error events from cron.log? Are they filtered by add_tag section?
I am not sure about a content of your /var/log/cron.log.
I think you have conditional issue. Try use this:
if [type] == "cron" and [message] =~ /error/ {
throttle {
key => "%{message}"
add_tag => "catched"
}
}