From 61a228e25948a3c686b4953c7d22966b0745bfec Mon Sep 17 00:00:00 2001
From: a3ilson <a@3ilson.com>
Date: Thu, 2 Nov 2017 18:19:07 -0400
Subject: [PATCH] Create 10-syslog.conf

---
 10-syslog.conf | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 10-syslog.conf

diff --git a/10-syslog.conf b/10-syslog.conf
new file mode 100644
index 0000000..e4c6cc2
--- /dev/null
+++ b/10-syslog.conf
@@ -0,0 +1,50 @@
+filter {  
+  if [type] == "syslog" {
+    #for multiple pfSense
+    #if [host] =~ /^0\.0\.0\.0$/ or [host] =~ /^0\.0\.0\.0$/
+    #change to pfSense ip address
+    if [host] =~ /192\.168\.1\.1/ {
+      mutate {
+        add_tag => ["PFSense", "Ready"]
+      }
+    }
+    if "Ready" not in [tags] {
+      mutate {
+        add_tag => [ "syslog" ]
+      }
+    }
+  }
+}
+filter {  
+  if [type] == "syslog" {
+    mutate {
+      remove_tag => "Ready"
+    }
+  }
+}
+filter {  
+  if "syslog" in [tags] {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM  dd HH:mm:ss" ]
+      locale => "en"
+    }
+    if !("_grokparsefailure" in [tags]) {
+      mutate {
+        replace => [ "@source_host", "%{syslog_hostname}" ]
+        replace => [ "@message", "%{syslog_message}" ]
+      }
+    }
+    mutate {
+      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
+    }
+#    if "_grokparsefailure" in [tags] {
+#      drop { }
+#    }
+  }
+}
-- 
GitLab