From 14f662ca2d670774fee34498febb87576db1fce8 Mon Sep 17 00:00:00 2001
From: Michael Riedmann <michael_riedmann@live.com>
Date: Sun, 25 Jan 2015 21:27:32 +0100
Subject: [PATCH] added grok-pattern-files configurable over pillars

---
 logstash/files/pattern.jinja2 |  7 +++++++
 logstash/init.sls             | 22 ++++++++++++++++++++++
 pillar.example                | 14 +++++++++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 logstash/files/pattern.jinja2

diff --git a/logstash/files/pattern.jinja2 b/logstash/files/pattern.jinja2
new file mode 100644
index 0000000..42b127b
--- /dev/null
+++ b/logstash/files/pattern.jinja2
@@ -0,0 +1,7 @@
+############################# 
+#      MANAGED BY SALT      #
+# !! DON'T EDIT MANUALLY !! #
+#############################
+{%- for pattern in (patterns|load_json) %}
+{{ pattern }}
+{%- endfor %}
diff --git a/logstash/init.sls b/logstash/init.sls
index a9969eb..d25a926 100644
--- a/logstash/init.sls
+++ b/logstash/init.sls
@@ -48,12 +48,34 @@ logstash-config-filters:
     - template: jinja
     - require:
       - pkg: logstash-pkg
+
 {%- else %}
 logstash-config-filters:
   file.absent:
     - name: /etc/logstash/conf.d/02-filters.conf
 {%- endif %}
 
+{%- if logstash.patterns is defined %}
+{%- for name, patterns in logstash.patterns.items() %}
+logstash-pattern-{{name}}:
+  file.managed:
+    - name: /etc/logstash/patterns/{{name}}
+    - template: jinja
+    - source: salt://logstash/files/pattern.jinja2
+    - context:
+        patterns: '{{patterns|json}}'
+    - makedirs: True
+    - require:
+      - pkg: logstash-pkg
+    - watch_in:
+      - service: logstash-svc
+{%- endfor %}
+{%- else %}
+logstash-patterns:
+  file.absent:
+    - name: /etc/logstash/patterns
+{%- endif %}
+
 {%- if logstash.outputs is defined %}
 logstash-config-outputs:
   file.managed:
diff --git a/pillar.example b/pillar.example
index f5fffc1..27cc664 100644
--- a/pillar.example
+++ b/pillar.example
@@ -36,4 +36,16 @@ logstash:
       hosts:
         - logs.example.com
       port: 5000
-      ssl_certificate: /etc/ssl/certs/lumberjack.crt
\ No newline at end of file
+      ssl_certificate: /etc/ssl/certs/lumberjack.crt
+
+  # custom grok-pattern-files going to /etc/logstash/pattern
+  patterns:
+    # filename will be "syslog"
+    syslog:
+      # one entry per line in file
+      - 'SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:message}'
+    salt:
+      - 'SALTLOG_LEVEL (?:DEBUG|FATAL|ERROR|WARNING|INFO)'
+      - 'SALTCMD @?[a-z]\w+(?:\.@?[a-z]\w+)*'
+      - 'SALTLOGBASE %{TIMESTAMP_ISO8601:timestamp} \[%{SALTCMD:saltcmd}(?:([ \t]+)?)\]\[%{SALTLOG_LEVEL:priority}(?:[ \t]+)\] %{GREEDYDATA:message}'
+