2

I'm using Logstash on Debian 9 and I want to use custom grok patterns. So I've added them to directory /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns - created new files and also modified existing (grok-patterns, auth, etc.).

Problem is that my changes in original files was overwritten and lost (at 02:35 a.m. 12.6.2018).

Is there some automatic updating of logstash-patterns-core? How can I change existing grok patterns?

Xdg
  • 1,735
  • 2
  • 27
  • 42

1 Answers1

2

Unfortunately, the directory structure where you modified the file is for binaries. You don't need to modify any files at all to add custom patterns. Please have a look at Logstash Directory layout here.

Instead of modifying or adding files under a binary path, you can create a new directory under /etc/logstash, call it a pattern and add your custom patterns there.

You can then import custom patterns as follows,

filter {
    grok {
        patterns_dir => "../patterns"
        match =>["message", "%{ANYPATTERN}" ]
    }
}
Sufiyan Ghori
  • 18,164
  • 14
  • 82
  • 110
  • If I want to override original pattern, is it possible this way? And is it possible to specify patterns_dir only once (I use many grok sections)? Thanks! – Xdg Jun 28 '18 at 11:55
  • that is correct, custom pattern takes priority over default pattern. So, if you have a pattern in core directory and a custom directory, one in the custom directory will be applied. Hence there is no need to modify your default patterns at all. – Sufiyan Ghori Jun 28 '18 at 23:59
  • you also need to define patterns_dir, everytime you use `grok` filter – Sufiyan Ghori Jun 29 '18 at 00:00