updated bwi.conf logstash conf

dockerfiles/logstash/configs/bwi.conf

@@ -9,7 +9,7 @@ input {
   # }
     file{
         type => syslog
-        path => "/data/*"
+        path => "/config/*"
         start_position => "beginning"
     }
 }
@@ -70,25 +70,35 @@ filter {
         }
         geoip {
             source => "mwg[dst]"
-            target => "mwg[dst_geo]"
         }
-        # geoip {
-        #     source => "mwg[src]"
-        #     target => "mwg[src_geo]"
-        # }
-        #url aufteilen nach subdomain.domain.tld
+
         grok {
-          match => { "mwg[url]" => "%{URIPROTO:mwg[urlparsed][proto]}://(?<mwg[urlparsed][subdom]>[^/]+)\.(?<mwg[urlparsed][domain]>[^/.]+)\.(?<mwg[urlparsed][tld]>[^/.]+)" }
+          match => { "mwg[url]" => "%{URIPROTO:mwg[parsedurl][protocol]}://(?<mwg[parsedurl][host]>[^/]+)(/(?<mwg[parsedurl][path]>[^?]+)(\?%{GREEDYDATA:mwg[parsedurl][parameters]})?)?" }
+        }
+        grok {
+        match => { "mwg[parsedurl][host]" => "((?<mwg[parsedurl][subdomain]>[^/]+)\.)?(?<mwg[parsedurl][domain]>[^/.]+)\.(?<mwg[parsedurl][tld]>[^/.]+)" }
         }
 
+        if [mwg.parsedurl.domain] == "google"{
+          grok {
+            match => { "mwg[parsedurl][parameters]" => "(?<mwg[parsedurl][googlesearch]>q=[^&]+)" }
+          }
+        }
+
+	# parsing von allen url parameter macht probleme weil zu viele
+        # kv {
+        #         source => "mwg[parsedurl][parameters]"
+        #         field_split => "&"
+        #         target => "mwg[parsedurl][parsedparameters]"
+        # }
 
-          # mutate {
-          #    split => { "syslog_message" => "|" }
-          # }
 
     }
 }
 output {
-  elasticsearch { hosts => ["elasticsearch:9200"] }
-  # stdout { codec => rubydebug }
+#  elasticsearch {
+#    hosts => ["elasticsearch:9200"]
+#    index => "logstash-bwi-casenr"
+#  }
+  stdout { codec => rubydebug }
 }