logstash.conf

# input logs
input {
	gelf {
        	port => 12201
		use_udp => true
		use_tcp => false
    	}
}

# log processing

filter {
	# Remove some unnecessary fields
	mutate { remove_field => ["level", "command", "image_id", "image_name", "host", "container_id", "timestamp", "severity", "created", "tag" ] }
	
	# Parse, if possibile, the nested JSON structure
	json { source => "message" }

	# Remove any extra field inside the previous nested JSON
	mutate { remove_field => ["timestamp", "severity"] }

	# Match all the services' logs and transform them for yRCA
	grok {
		match => { "message" => "%{DATA:timestamp} \- %{LOGLEVEL:severity} \- %{DATA:servicename} \- %{GREEDYDATA:event}" }
	}

	# Fix timestamp attribute for yRCA parsing
	mutate { gsub => [ "timestamp", "\Z\d{*}$", "" ] }
	mutate { gsub => [ "timestamp", "Z", "" ]}
}

# output on elasticsearch
output {
	file {
		path => "/etc/logstash/all.json"
	}
}