Gitolite syslog parsing
danielpops opened this issue · comments
So apparently gitolite adds an interesting spin to syslog log format:
As per the details outlined here:
Please note:
The first two fields described in the previous section (time, TID) are different. Syslog takes care of putting in the time, and the TID is appended to the ident, so instead of just 'gitolite', you get 'gitolite[$GL_TID]'.
This means actual log lines will look something like this, since syslog appends the actual PID to the ident as well:
Jun 3 09:26:11 sita-lt gitolite[14950][14950]: ssh ARGV=admin SOC=git-receive-pack 'gitolite-admin' FROM=::1
Jun 3 09:26:11 sita-lt gitolite[14950][14950]: pre_git gitolite-admin admin W any refs/.*
Jun 3 09:26:11 sita-lt gitolite[14950][14991]: update gitolite-admin admin W refs/heads/master [snip]
Jun 3 09:26:13 sita-lt gitolite[14950][14950]: END
That's... anoying... So, any chance we can add an optional second PID to the syslog format? And/or any other suggestions on how to consume this in logstash?