Reputation: 1835
How to use custom Logstash grok patterns?
I'm using Logstash on Debian 9 and I want to use custom grok patterns. So I've added them to directory /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns - created new files and also modified existing (grok-patterns, auth, etc.).
Problem is that my changes in original files was overwritten and lost (at 02:35 a.m. 12.6.2018).
Is there some automatic updating of logstash-patterns-core? How can I change existing grok patterns?
Upvotes: 2
Views: 2822
Answers (1)
Reputation: 18743
Unfortunately, the directory structure where you modified the file is for binaries. You don't need to modify any files at all to add custom patterns. Please have a look at Logstash Directory layout here.
Instead of modifying or adding files under a binary path, you can create a new directory under /etc/logstash, call it a pattern and add your custom patterns there.
You can then import custom patterns as follows,
filter {
grok {
patterns_dir => "../patterns"
match =>["message", "%{ANYPATTERN}" ]
}
}
Upvotes: 2
Related Questions
- Nginx grok pattern for logstash
- Finding grok pattern for Log file
- Grok pattern for log files
- Grok pattern for simple syslog
- Grok custom pattern
- How to write custom grok for logstash
- Custom Grok Pattern for logs
- GROK custom pattern filter in logstash
- How to write grok pattern in logstash
- Grok pattern for logstash / elasticsearch