File: //usr/share/filebeat/module/mongodb/log/ingest/pipeline-plaintext.yml
description: Pipeline for parsing MongoDB logs in plaintext
processors:
- grok:
field: message
patterns:
- '%{TIMESTAMP_ISO8601:mongodb.log.timestamp}%{SPACE}%{MONGO3_SEVERITY:log.level}%{SPACE}%{MONGO3_COMPONENT:mongodb.log.component}%{SPACE}(?:\[%{DATA:mongodb.log.context}\])?%{SPACE}%{GREEDYDATA:message}'
ignore_missing: true
- date:
field: mongodb.log.timestamp
target_field: '@timestamp'
formats:
- yyyy-MM-dd'T'HH:mm:ss.SSSZZ
- remove:
field: mongodb.log.timestamp
- append:
field: event.type
value: access
if: "ctx?.mongodb?.log?.component == 'ACCESS'"
- append:
field: event.type
value: change
if: "ctx?.mongodb?.log?.component == 'WRITE'"
- append:
field: event.type
value: info
if: "ctx?.mongodb?.log?.component != 'WRITE' && ctx?.mongodb?.log?.component != 'ACCESS'"
- append:
field: event.type
value: error
if: "ctx?.log?.level == 'F' || ctx?.log?.level == 'E'"
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'