darkshade9 · November 7, 2019 12:10
diff --git a/logstash-neo4j-querylog.txt b/logstash-neo4j-querylog.txt
        if [type] == "neo4j_logs" {
                if [source] == "/var/log/neo4j/query.log" {
                        grok {
                                match => ["message", "%{TIMESTAMP_ISO8601:datetime} %{WORD:severity} +%{NUMBER:ms} ms: %{NOTSPACE:session-type}     %{WORD:protocol}        %{WORD:remoteUser}      %{NOTSPACE:driver}/(\[)?%{DATA:driver-version}(\])?             client/%{IP:clientip}:%{NUMBER:clientport}  server/%{IP:serverip}:%{NUMBER:serverport}>     %{WORD:remoteUser} - %{GREEDYDATA:query} - (%{GREEDYDATA:parameters})? - {}"]
                                match => ["message", "%{TIMESTAMP_ISO8601:datetime} %{WORD:severity} +%{NUMBER:ms} ms: %{NOTSPACE:session-type}     %{WORD:protocol}        %{IP:clientip}  %{GREEDYDATA:endpoint}  %{WORD:remoteUser} - %{GREEDYDATA:query} - (%{GREEDYDATA:parameters})? - {}"]
                        }
                }
        }
	if [type] == "neo4j_logs" {
	if [source] == "/var/log/neo4j/query.log" {
	grok {
	match => ["message", "%{TIMESTAMP_ISO8601:datetime} %{WORD:severity} +%{NUMBER:ms} ms: %{NOTSPACE:session-type} %{WORD:protocol} %{WORD:remoteUser} %{NOTSPACE:driver}/(\[)?%{DATA:driver-version}(\])? client/%{IP:clientip}:%{NUMBER:clientport} server/%{IP:serverip}:%{NUMBER:serverport}> %{WORD:remoteUser} - %{GREEDYDATA:query} - (%{GREEDYDATA:parameters})? - {}"]
	match => ["message", "%{TIMESTAMP_ISO8601:datetime} %{WORD:severity} +%{NUMBER:ms} ms: %{NOTSPACE:session-type} %{WORD:protocol} %{IP:clientip} %{GREEDYDATA:endpoint} %{WORD:remoteUser} - %{GREEDYDATA:query} - (%{GREEDYDATA:parameters})? - {}"]
	}
	}
	}