├── LICENSE ├── README.md ├── beats ├── conf │ └── filebeat │ │ └── filebeat.yml └── filebeatify.sh └── elk ├── Dockerfile ├── elkstack.sh ├── filebeat.template.json └── logstash ├── 02-beats-input.conf ├── 10-syslog-filter.conf ├── 15-openstack-filter.conf ├── 30-elasticsearch-output.conf └── grok /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Dimitri Mazmanov 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # elkstack 2 | ElasticSearch, Logstash, Kibana, Filebeat for OpenStack 3 | -------------------------------------------------------------------------------- /beats/conf/filebeat/filebeat.yml: -------------------------------------------------------------------------------- 1 | filebeat: 2 | prospectors: 3 | - 4 | paths: 5 | - "/var/log/syslog" 6 | - "/var/log/auth.log" 7 | document_type: syslog 8 | - 9 | paths: 10 | - "/var/log/nova/*.log" 11 | document_type: nova 12 | - 13 | paths: 14 | - "/var/log/neutron/*.log" 15 | document_type: neutron 16 | - 17 | paths: 18 | - "/var/log/cinder/*.log" 19 | document_type: cinder 20 | - 21 | paths: 22 | - "/var/log/glance/*.log" 23 | document_type: glance 24 | - 25 | paths: 26 | - "/var/log/heat/*.log" 27 | document_type: heat 28 | - 29 | paths: 30 | - "/var/log/httpd/*.log" 31 | document_type: http 32 | - 33 | paths: 34 | - "/var/log/horizon/*.log" 35 | document_type: horizon 36 | - 37 | paths: 38 | - "/var/log/keystone/*.log" 39 | document_type: keystone 40 | - 41 | paths: 42 | - "/var/log/mariadb/*.log" 43 | document_type: mariadb 44 | - 45 | paths: 46 | - "/var/log/messages" 47 | document_type: syslog 48 | - 49 | paths: 50 | - "/var/log/mongodb/*.log" 51 | document_type: mongodb 52 | - 53 | paths: 54 | - "/var/log/openvswitch/*.log" 55 | document_type: openvswitch 56 | - 57 | paths: 58 | - "/var/log/pacemaker.log" 59 | document_type: pacemaker 60 | - 61 | paths: 62 | - "/var/log/ceilometer/*.log" 63 | document_type: ceilometer 64 | - 65 | paths: 66 | - "/var/log/cron" 67 | document_type: cron 68 | - 69 | paths: 70 | - "/var/log/rabbitmq/*.log-2*" 71 | document_type: rabbitmq 72 | - 73 | paths: 74 | - "/var/log/libvirt/*.log" 75 | document_type: libvirt 76 | 77 | output: 78 | logstash: 79 | enabled: true 80 | hosts: 81 | - localhost:5044 82 | index: filebeat 83 | bulk_max_size: 50 -------------------------------------------------------------------------------- /beats/filebeatify.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "deb https://packages.elastic.co/beats/apt stable main" | sudo tee -a /etc/apt/sources.list.d/beats.list 3 | sudo apt-get update 4 | sudo apt-get --force-yes install filebeat -y 5 | 6 | sudo cp conf/filebeat/filebeat.yml /etc/filebeat/filebeat.yml 7 | 8 | sudo service filebeat restart 9 | sudo update-rc.d filebeat defaults 95 10 -------------------------------------------------------------------------------- /elk/Dockerfile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | # Copyright (c) 2015 Ericsson AB and others. 3 | # 4 | # All rights reserved. This program and the accompanying materials 5 | # are made available under the terms of the Apache License, Version 2.0 6 | # which accompanies this distribution, and is available at 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | ############################################################################## 9 | 10 | FROM ubuntu:14.04 11 | MAINTAINER Dimitri Mazmanov 12 | 13 | COPY . /tmp/elkstack 14 | 15 | RUN echo 'sudo service logstash start' >> /tmp/elkstack/start.sh 16 | RUN echo 'sudo service elasticsearch start' >> /tmp/elkstack/start.sh 17 | RUN echo 'sudo service kibana start' >> /tmp/elkstack/start.sh 18 | 19 | RUN cd /tmp/elkstack && /bin/bash /tmp/elkstack/elkstack.sh 20 | 21 | EXPOSE 80 22 | EXPOSE 22 23 | EXPOSE 9200 24 | EXPOSE 5044 25 | 26 | ENV HOME /home/elkstack 27 | WORKDIR /home/elkstack 28 | 29 | CMD bash -C '/tmp/elkstack/start.sh';'bash' 30 | -------------------------------------------------------------------------------- /elk/elkstack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list 3 | echo "deb http://packages.elastic.co/kibana/4.4/debian stable main" | sudo tee -a /etc/apt/sources.list.d/kibana-4.4.x.list 4 | echo 'deb http://packages.elastic.co/logstash/2.2/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list 5 | 6 | sudo apt-get update 7 | sudo apt-get -y install curl 8 | sudo apt-get -y install unzip 9 | sudo apt-get -y install openjdk-7-jre 10 | sudo apt-get -y install python-pip 11 | 12 | sudo apt-get --force-yes -y install elasticsearch 13 | 14 | # Install management tools 15 | sudo /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head 16 | sudo pip install elasticsearch-curator 17 | 18 | sudo service elasticsearch restart 19 | sudo update-rc.d elasticsearch defaults 95 10 20 | 21 | sudo apt-get --force-yes -y install logstash 22 | 23 | # Install beats plugin for logstash 24 | sudo /opt/logstash/bin/plugin install logstash-input-beats 25 | sudo /opt/logstash/bin/plugin update logstash-input-beats 26 | 27 | # Copy logstash configuration files 28 | sudo cp logstash/* /etc/logstash/conf.d/ 29 | 30 | sudo service logstash restart 31 | sudo update-rc.d logstash defaults 96 9 32 | 33 | sudo apt-get --force-yes -y install kibana 34 | sudo service kibana start 35 | sudo update-rc.d kibana defaults 96 9 36 | 37 | while ! nc -q 1 localhost 9200 /dev/null 2>&1 44 | cd beats-dashboards-1.1.1/ 45 | ./load.sh 46 | cd .. 47 | -------------------------------------------------------------------------------- /elk/filebeat.template.json: -------------------------------------------------------------------------------- 1 | { 2 | "mappings": { 3 | "_default_": { 4 | "_all": { 5 | "enabled": true, 6 | "norms": { 7 | "enabled": false 8 | } 9 | }, 10 | "dynamic_templates": [ 11 | { 12 | "template1": { 13 | "mapping": { 14 | "doc_values": true, 15 | "ignore_above": 1024, 16 | "index": "not_analyzed", 17 | "type": "{dynamic_type}" 18 | }, 19 | "match": "*" 20 | } 21 | } 22 | ], 23 | "properties": { 24 | "@timestamp": { 25 | "type": "date" 26 | }, 27 | "message": { 28 | "type": "string", 29 | "index": "analyzed" 30 | }, 31 | "offset": { 32 | "type": "long", 33 | "doc_values": "true" 34 | } 35 | } 36 | } 37 | }, 38 | "settings": { 39 | "index.refresh_interval": "5s" 40 | }, 41 | "template": "filebeat-*" 42 | } -------------------------------------------------------------------------------- /elk/logstash/02-beats-input.conf: -------------------------------------------------------------------------------- 1 | input { 2 | beats { 3 | port => 5044 4 | } 5 | } -------------------------------------------------------------------------------- /elk/logstash/10-syslog-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "syslog" { 3 | grok { 4 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } 5 | add_field => [ "received_at", "%{@timestamp}" ] 6 | add_field => [ "received_from", "%{host}" ] 7 | } 8 | syslog_pri { } 9 | date { 10 | match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] 11 | } 12 | } 13 | } -------------------------------------------------------------------------------- /elk/logstash/15-openstack-filter.conf: -------------------------------------------------------------------------------- 1 | filter { 2 | if [type] == "nova" { 3 | grok { 4 | break_on_match => true 5 | match => [ 6 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{ID} %{GREEDYDATA:openstack_instance_action}", 7 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{RESOURCE_DISK_RAM:Free_disk_ram}", 8 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{RESOURCE_CPU:Free_vcpus}", 9 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{WORD} %{NOTSPACE:openstack_image_id} %{NOTSPACE} %{NOTSPACE:openstack_image_location} %{GREEDYDATA:image_message}", 10 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{NOVA_INSTANCE_REQUEST:nova_api_request} %{NOTSPACE} %{NOTSPACE} %{INT:nova_response_code} %{NOTSPACE} %{INT} %{NOTSPACE} %{NUMBER:nova_response_time}", 11 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{QUOTEDSTRING:nova_api_request} %{NOTSPACE} %{INT:nova_response_code} %{NOTSPACE} %{INT} %{NOTSPACE} %{NUMBER:nova_response_time}", 12 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{BASE_FILE} %{PATH:openstack_basefile_path}" 13 | ] 14 | add_tag => "openstack_logs" 15 | add_tag => "nova" 16 | } 17 | } 18 | 19 | if [type] == "glance" { 20 | grok { 21 | break_on_match => true 22 | match => [ 23 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA} %{IP:IP}", 24 | #"message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GLANCE_IMAGE_MESSAGE:glance_image_message}", 25 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GLANCE_IMAGE_MESSAGE:glance_image_message} %{UUID:glance_image_id}", 26 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{GREEDYDATA} %{QUOTEDSTRING:glance_api_request} %{INT:glance_response_code} %{INT} %{NUMBER:glance_response_time}" 27 | ] 28 | add_tag => "openstack_logs" 29 | add_tag => "glance" 30 | } 31 | } 32 | 33 | if [type] == "neutron" { 34 | grok { 35 | break_on_match => true 36 | match => [ 37 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{DATA} %{UUID:neutron_segment_id} %{WORD} %{WORD} %{WORD:neutron_network_type} %{WORD} %{WORD} %{UUID:neutron_network_id}", 38 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{GREEDYDATA} %{QUOTEDSTRING:neutron_api_request} %{INT:neutron_response_code} %{INT} %{NUMBER:neutron_response_time}", 39 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{NEUTRON_ACCEPT_MESSAGE:neutron_accept_message}" 40 | ] 41 | add_tag => "openstack_logs" 42 | add_tag => "neutron" 43 | } 44 | } 45 | 46 | if [type] == "keystone" { 47 | grok { 48 | break_on_match => true 49 | match => [ 50 | "message", " %{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{GREEDYDATA} %{QUOTEDSTRING:keystone_api_request} %{INT:keystone_response_code} %{INT} %{NUMBER:keystone_response_time}" 51 | ] 52 | add_tag => "openstack_logs" 53 | add_tag => "keystone" 54 | } 55 | } 56 | 57 | # Catch API and general messages 58 | if [type] == "cinder" { 59 | if [message] =~ /(?i)"GET|"POST|"DELETE|GET|POST|DELETE/ { 60 | grok { 61 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{GREEDYDATA} %{QUOTEDSTRING:cinder_api_request} %{INT:cinder_response_code} %{INT} %{NUMBER:cinder_response_time}"] 62 | add_tag => "openstack_logs" 63 | add_tag => "cinder" 64 | } 65 | } else { 66 | grok { 67 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:cinder_message}"] 68 | add_tag => "openstack_logs" 69 | add_tag => "cinder" 70 | } 71 | } 72 | } 73 | 74 | if [type] == "heat" { 75 | if [message] =~ /(?i)"GET|"POST|"DELETE|GET|POST|DELETE/ { 76 | grok { 77 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{IP:IP} %{GREEDYDATA} %{QUOTEDSTRING:heat_api_request} %{INT:heat_response_code} %{INT} %{NUMBER:heat_response_time}"] 78 | add_tag => "openstack_logs" 79 | add_tag => "heat" 80 | } 81 | } else { 82 | grok { 83 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:heat_message}"] 84 | add_tag => "openstack_logs" 85 | add_tag => "heat" 86 | } 87 | } 88 | } 89 | 90 | if [message] =~ /(?i)Compute_service record|Auditing locally|Loading compute driver|wsgi starting up|Stopping WSGI server|WSGI server has stopped|Skipping periodic task|nova.openstack.common.service|Connected to AMQP server|keystoneclient.middleware.auth_token|Starting new HTTP connection|Returning detailed image list|SIGTERM/ { 91 | drop {} 92 | } 93 | 94 | if ([message] =~"Quota exceeded for resources") { 95 | grok { 96 | match => [ 97 | "message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:resource_failed}" 98 | ] 99 | add_tag => "openstack_logs" 100 | add_tag => "resource_quota" 101 | remove_tag => "_grokparsefailure" 102 | } 103 | } 104 | # All matching filter for grokparsefailures, traceback & extensions 105 | if "_grokparsefailure" in [tags] { 106 | if ([message] =~"Traceback") { 107 | grok { 108 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:openstack_trace}"] 109 | add_tag => "openstack_trace" 110 | remove_tag => "_grokparsefailure" 111 | } 112 | } else if ([message] =~ /(?i)Loaded extension/) { 113 | grok { 114 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:openstack_extension}"] 115 | add_tag => "extension_loaded" 116 | remove_tag => "_grokparsefailure" 117 | } 118 | } else { 119 | grok { 120 | match => ["message", "%{HOSTNAME:openstack_hostname} %{TIMESTAMP_ISO8601:timestamp} %{POSINT:openstack_pid} %{OPENSTACK_LOGLEVEL:openstack_loglevel} %{OPENSTACK_PROG:openstack_program}%{REQ_LIST} %{GREEDYDATA:openstack_message}"] 121 | add_tag => "openstack_logs" 122 | add_tag => "unmatched_event" 123 | remove_tag => "_grokparsefailure" 124 | } 125 | } 126 | } 127 | 128 | if "python" in [command] { 129 | drop{} 130 | } 131 | } 132 | 133 | -------------------------------------------------------------------------------- /elk/logstash/30-elasticsearch-output.conf: -------------------------------------------------------------------------------- 1 | output { 2 | elasticsearch { 3 | hosts => ["localhost:9200"] 4 | sniffing => true 5 | manage_template => false 6 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" 7 | document_type => "%{[@metadata][type]}" 8 | } 9 | } -------------------------------------------------------------------------------- /elk/logstash/grok: -------------------------------------------------------------------------------- 1 | OPENSTACK_PID ( %{POSINT:pid:int})? 2 | 3 | OPENSTACK_PROG (?:[ a-zA-Z0-9_\-]+\.)+[ A-Za-z0-9_\-$]+ 4 | 5 | OPENSTACK_PROG_SINGLE [A-Za-z0-9_\-$]+ 6 | 7 | OPENSTACK_SOURCE %{OPENSTACK_PROG}|%{OPENSTACK_PROG_SINGLE} 8 | 9 | OPENSTACK_REQ_LIST (\[(?:(req-%{UUID}|%{UUID}|%{BASE16NUM}|None|-|%{SPACE}))+\])? 10 | 11 | OPENSTACK_LOGLEVEL ([A-a]lert|ALERT|[A-a]udit|AUDIT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?) 12 | 13 | OPENSTACK_NORMAL %{TIMESTAMP_ISO8601:timestamp}%{OPENSTACK_PID} %{OPENSTACK_LOGLEVEL:loglevel} %{OPENSTACK_SOURCE:program} %{OPENSTACK_REQ_LIST:request_id_list} %{GREEDYDATA:openstack_message} 14 | 15 | RAW_TRACE (?:^[^0-9].*$|^$) 16 | 17 | REQ_LIST (\[(?:(req-%{UUID:request_id_list}|%{UUID:request_id_list}|%{BASE16NUM}|None|-|%{SPACE}))+\])? 18 | 19 | ID (\[(?:(instance: %{UUID:openstack_instance_id}))+\])? 20 | 21 | 22 | # Nova resource usage 23 | RESOURCE_DISK_RAM (%{WORD} %{WORD} %{NOTSPACE} %{INT:Free_disk_ram_count}) 24 | RESOURCE_CPU (%{WORD} %{NOTSPACE} %{INT:Free_vcpus_count}) 25 | COMPUTE_SERVICE (%{WORD} %{WORD} %{WORD} %{WORD} %{NOTSPACE}) 26 | BASE_FILE (%{NOTSPACE} %{NOTSPACE} %{NOTSPACE}) 27 | CLAIM_REQ (?:Attempting claim: memory %{NUMBER:mem:float} MB, disk %{NUMBER:disk:float} GB, VCPUs %{NUMBER:cpu:float}) 28 | NOVA_INSTANCE_REQUEST %{NOVA_INSTANCE} %{CLAIM_REQ} 29 | NOVA_INSTANCE (?:\[instance: %{UUID:instance_id}\]) 30 | 31 | # Nova uses a slightly different format than Neutron, Cinder, and Glance for API call logging 32 | # 33 | API_CALL (%{URIHOST:client_ip}((?:[,]*)%{URIHOST:client_ip})*) - - \[%{GREEDYDATA}\]?"%{HTTP_METHOD:method} %{URIPATHPARAM:uri} HTTP/%{NOTSPACE:protocol}[\\]?" %{NUMBER:response_status:int} %{NUMBER:response_length:int} %{NUMBER:response_time:float} 34 | 35 | NOVA_API_CALL (%{URIHOST:client_ip}((?:[,]*)%{URIHOST:client_ip})*) [\\]?"%{HTTP_METHOD:method} %{URIPATHPARAM:uri} HTTP/%{NOTSPACE:protocol}[\\]?" status: %{NUMBER:response_status:int} len: %{NUMBER:response_length:int} time: %{NUMBER:response_time:float} 36 | 37 | OPENSTACK_API_CALL %{API_CALL}|%{NOVA_API_CALL} 38 | 39 | # Glance 40 | GLANCE_IMAGE_MESSAGE (%{WORD} %{WORD} %{WORD} %{WORD}|%{WORD} %{WORD} %{WORD}) 41 | 42 | # Neutron 43 | NEUTRON_ACCEPT_MESSAGE (%{NOTSPACE} %{WORD} %{NOTSPACE} %{INT}) 44 | NEUTRON_PORT_UPDATE (%{WORD} %{UUID:neutron_port_id} %{WORD}%{NOTSPACE}) 45 | 46 | --------------------------------------------------------------------------------