Google Git
Sign in
apache / ambari-logsearch / 26485f24e5f72f1d1c801f72bc718927c3daed12 / . / ambari-logsearch-logfeeder / src / main / resources / filters.config.json
blob: d9006da0332d914626ae770645f21722cfe6c6a6 [file] [log] [blame]
{
"filter":[
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"accumulo_master"
]
}
},
"log4j_format":"%d{ISO8601} [%-8c{2}] %-5p: %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}\\[%{JAVACLASS:logger_name}\\]%{SPACE}%{LOGLEVEL:level}:%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"comment":"This one has one extra space after LEVEL",
"conditions":{
"fields":{
"type":[
"accumulo_gc",
"accumulo_monitor",
"accumulo_tracer",
"accumulo_tserver"
]
}
},
"log4j_format":"%d{ISO8601} [%-8c{2}] %-5p: %X{application} %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}\\[%{JAVACLASS:logger_name}\\]%{SPACE}%{LOGLEVEL:level}%{SPACE}:%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"atlas_app",
"falcon_app"
]
}
},
"log4j_format":"%d %-5p - [%t:%x] ~ %m (%c{1}:%L)%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{SPACE}-%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}~%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ams_collector"
]
}
},
"log4j_format":"%d{ISO8601} %p %c: %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}:%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ams_hbase_master",
"ams_hbase_regionserver",
"hbase_master",
"hbase_regionserver"
]
}
},
"log4j_format":"%d{ISO8601} %-5p [%t] %c{2}: %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}%{JAVACLASS:logger_name}:%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ambari_agent"
]
}
},
"log4j_format":"",
"multiline_pattern":"^(%{LOGLEVEL:level} %{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{LOGLEVEL:level} %{TIMESTAMP_ISO8601:logtime} %{JAVAFILE:file}:%{INT:line_number} - %{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
},
"level":{
"map_field_value":{
"pre_value":"WARNING",
"post_value":"WARN"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ambari_server"
]
}
},
"log4j_format":"%d{DATE} %5p [%t] %c{1}:%L - %m%n",
"multiline_pattern":"^(%{USER_SYNC_DATE:logtime})",
"message_pattern":"(?m)^%{USER_SYNC_DATE:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}%{JAVACLASS:logger_name}:%{INT:line_number}%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"dd MMM yyyy HH:mm:ss"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"hdfs_datanode",
"hdfs_journalnode",
"hdfs_secondarynamenode",
"hdfs_namenode",
"hdfs_zkfc",
"knox_gateway",
"knox_cli",
"knox_ldap",
"mapred_historyserver",
"yarn_historyserver",
"yarn_jobsummary",
"yarn_nodemanager",
"yarn_resourcemanager",
"yarn_timelineserver"
]
}
},
"log4j_format":"%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\(%{JAVAFILE:file}:%{JAVAMETHOD:method}\\(%{INT:line_number}\\)\\)%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"hive_hiveserver2",
"hive_metastore"
]
}
},
"log4j_format":"%d{ISO8601} %-5p [%t]: %c{2} (%F:%M(%L)) - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}\\[%{DATA:thread_name}\\]:%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\(%{JAVAFILE:file}:%{JAVAMETHOD:method}\\(%{INT:line_number}\\)\\)%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"kafka_controller",
"kafka_request",
"kafka_logcleaner"
]
}
},
"log4j_format":"[%d] %p %m (%c)%n",
"multiline_pattern":"^(\\[%{TIMESTAMP_ISO8601:logtime}\\])",
"message_pattern":"(?m)^\\[%{TIMESTAMP_ISO8601:logtime}\\]%{SPACE}%{LOGLEVEL:level}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"comment":"Suppose to be same log4j pattern as other kafka processes, but some reason thread is not printed",
"conditions":{
"fields":{
"type":[
"kafka_server",
"kafka_statechange"
]
}
},
"log4j_format":"[%d] %p %m (%c)%n",
"multiline_pattern":"^(\\[%{TIMESTAMP_ISO8601:logtime}\\])",
"message_pattern":"(?m)^\\[%{TIMESTAMP_ISO8601:logtime}\\]%{SPACE}%{LOGLEVEL:level}%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"oozie_app"
]
}
},
"log4j_format":"%d{ISO8601} %5p %c{1}:%L - SERVER[${oozie.instance.id}] %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{DATA:logger_name}:%{INT:line_number}%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"logsearch_app",
"logsearch_feeder",
"logsearch_perf",
"ranger_admin",
"ranger_dbpatch"
]
}
},
"log4j_format":"%d [%t] %-5p %C{6} (%F:%L) - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\(%{JAVAFILE:file}:%{INT:line_number}\\)%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ranger_kms"
]
}
},
"log4j_format":"%d{ISO8601} %-5p %c{1} - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"ranger_usersync"
]
}
},
"log4j_format":"%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] - %m%n",
"multiline_pattern":"^(%{USER_SYNC_DATE:logtime})",
"message_pattern":"(?m)^%{USER_SYNC_DATE:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"dd MMM yyyy HH:mm:ss"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"storm_drpc",
"storm_logviewer",
"storm_nimbus",
"storm_supervisor",
"storm_ui",
"storm_worker"
]
}
},
"log4j_format":"",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\[%{LOGLEVEL:level}\\]%{SPACE}%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss.SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"zookeeper"
]
}
},
"log4j_format":"%d{ISO8601} - %-5p [%t:%C{1}@%L] - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}-%{SPACE}%{LOGLEVEL:level}%{SPACE}\\[%{DATA:thread_name}\\@%{INT:line_number}\\]%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"logtime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"grok",
"conditions":{
"fields":{
"type":[
"hdfs_audit"
]
}
},
"log4j_format":"%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n",
"multiline_pattern":"^(%{TIMESTAMP_ISO8601:evtTime})",
"message_pattern":"(?m)^%{TIMESTAMP_ISO8601:evtTime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}:%{SPACE}%{GREEDYDATA:log_message}",
"post_map_values":{
"evtTime":{
"map_date":{
"date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
}
}
}
},
{
"filter":"keyvalue",
"sort_order":1,
"conditions":{
"fields":{
"type":[
"hdfs_audit"
]
}
},
"source_field":"log_message",
"value_split":"=",
"field_split":"\t",
"post_map_values":{
"src":{
"map_field_name":{
"new_field_name":"resource"
}
},
"ip":{
"map_field_name":{
"new_field_name":"cliIP"
}
},
"allowed":[
{
"map_field_value":{
"pre_value":"true",
"post_value":"1"
}
},
{
"map_field_value":{
"pre_value":"false",
"post_value":"0"
}
},
{
"map_field_name":{
"new_field_name":"result"
}
}
],
"cmd":{
"map_field_name":{
"new_field_name":"action"
}
},
"proto":{
"map_field_name":{
"new_field_name":"cliType"
}
},
"callerContext":{
"map_field_name":{
"new_field_name":"req_caller_id"
}
}
}
},
{
"filter":"grok",
"sort_order":2,
"source_field":"ugi",
"remove_source_field":"false",
"conditions":{
"fields":{
"type":[
"hdfs_audit"
]
}
},
"message_pattern":"%{USERNAME:p_user}.+auth:%{USERNAME:p_authType}.+via %{USERNAME:k_user}.+auth:%{USERNAME:k_authType}|%{USERNAME:user}.+auth:%{USERNAME:authType}|%{USERNAME:x_user}",
"post_map_values":{
"user":{
"map_field_name":{
"new_field_name":"reqUser"
}
},
"x_user":{
"map_field_name":{
"new_field_name":"reqUser"
}
},
"p_user":{
"map_field_name":{
"new_field_name":"reqUser"
}
},
"k_user":{
"map_field_name":{
"new_field_name":"proxyUsers"
}
},
"p_authType":{
"map_field_name":{
"new_field_name":"authType"
}
},
"k_authType":{
"map_field_name":{
"new_field_name":"proxyAuthType"
}
}
}
}
]
}