- add example for use with syslog.

from freebsd

sysutils/logstash/logstash/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.2 2014/12/19 14:06:32 jasper Exp $
+# $OpenBSD: Makefile,v 1.3 2014/12/20 12:28:04 jasper Exp $
 
 COMMENT=		tool for managing events and logs
 
 # built with https://github.com/elasticsearch/logstash/pull/2236
 DISTNAME=		logstash-1.5.0.beta1
-REVISION=		0
+REVISION=		1
 
 MASTER_SITES=		http://distfiles.nl/ \
 			https://download.elasticsearch.org/logstash/logstash/

sysutils/logstash/logstash/files/logstash.conf

@@ -3,6 +3,11 @@ input {
     type => syslog
     port => 5544
   }
+  file {
+    type => "syslog"
+    path => "/var/log/messages"
+    start_position => "beginning"
+  }
   lumberjack {
     # The port to listen on
     port => 12345
@@ -17,13 +22,26 @@ input {
 }
 
 filter {
-  mutate {
-    add_field => [ "hostip", "%{host}" ]
-  }
+  if [type] == "syslog" {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname}  (%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}|%{GREEDYDATA:syslog_message})" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{@source_host}" ]
+    }
 
-  dns {
-    reverse => [ "host" ]
-    action => "replace"
+    if !("_grokparsefailure" in [tags]) {
+      mutate {
+        replace => [ "@source_host", "%{syslog_hostname}" ]
+        replace => [ "@message", "%{syslog_message}" ]
+      }
+    }
+    mutate {
+      remove_field => [ "syslog_hostname", "syslog_message" ]
+    }
+    date {
+      match => [ "syslog_timestamp","MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] 
+    }
+    syslog_pri { }
   }
 }