From 93f272105a98952dae855268dd3d9f35f30e851a Mon Sep 17 00:00:00 2001 From: Matthew Newton Date: Wed, 1 Apr 2015 12:41:48 +0100 Subject: [PATCH] Small elasticsearch fixups --- doc/schemas/logstash/README | 12 +++++++++++- doc/schemas/logstash/radius-mapping.sh | 5 +++-- doc/schemas/logstash/radius.conf | 15 ++++++++------- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/doc/schemas/logstash/README b/doc/schemas/logstash/README index d46022d..93b937c 100644 --- a/doc/schemas/logstash/README +++ b/doc/schemas/logstash/README @@ -41,13 +41,23 @@ radius.conf It processes these by joining each record onto one line, then splitting the tab-delimited key-value pairs out. - The file will need to be edited at least to set the input method. For + The file will need to be edited at least to set the input method: for experimentation the given input (stdin) may be used. If logstash is running on the RADIUS server then 'file' input may be appropriate, otherwise a different input such as log-courier or logstash-forwarder may be better to get the data over the network to the logstash server. +Example usage +------------- + +Install mapping (only needs to be done once): +$ ./radius-mapping.sh + +Feed a detail file in: +$ /path/to/logstash -f radius.conf < acct-detail + + See also -------- diff --git a/doc/schemas/logstash/radius-mapping.sh b/doc/schemas/logstash/radius-mapping.sh index dfaf8bd..25f7071 100644 --- a/doc/schemas/logstash/radius-mapping.sh +++ b/doc/schemas/logstash/radius-mapping.sh @@ -20,8 +20,9 @@ curl -XPUT '127.0.0.1:9200/_template/radius' -d ' "type":"string", "index":"analyzed" } - }, - "no_analyze_strings":{ + } + }, + { "no_analyze_strings":{ "match":"*", "match_mapping_type":"string", "mapping":{ diff --git a/doc/schemas/logstash/radius.conf b/doc/schemas/logstash/radius.conf index 9b5a8e9..a837fa3 100644 --- a/doc/schemas/logstash/radius.conf +++ b/doc/schemas/logstash/radius.conf @@ -23,11 +23,11 @@ # is stored as a separate field in the output document. -#input { -# stdin { -# type => radiusdetail -# } -#} +input { + stdin { + type => radiusdetail + } +} filter { @@ -43,12 +43,13 @@ filter { # pull off the timestamp grok { - match => [ "message", "^(?[^\t]+)\t" ] + match => [ "message", "^(?[^\n\t]+)[\n\t]" ] } # create the timestamp field date { - match => [ "timestamp", "E MMM dd HH:mm:ss yyyy" ] + match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy", + "EEE MMM d HH:mm:ss yyyy" ] } # split the attributes and values into fields -- 2.1.4