From 6713b07e48a9f3e34c8881533a49fe8bfdbfeead Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Sun, 29 Sep 2019 00:27:28 -0400
Subject: [PATCH] Update pf-09.2019.grok

- Elastic Common Schema
- Linked 10-pf.conf to lines 11-12 eliminating adjustment when using pfSense/OPNsense
---
 pf-09.2019.grok | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pf-09.2019.grok b/pf-09.2019.grok
index 50e2189..5a42f49 100644
--- a/pf-09.2019.grok
+++ b/pf-09.2019.grok
@@ -5,9 +5,12 @@
 # Edited 14 Feb 2015 by Elijah Paul elijah.paul@gmail.com
 # Edited 10 Mar 2015 by Bernd Zeimetz <bernd@bzed.de>
 # Edited 28 Oct 2017 by Brian Turek <brian.turek@gmail.com>
-# Edited 5 Jan 2017 by Andrew Wilson <andrew@3ilson.com>
+# Edited 2017-2019 by Andrew Wilson <andrew@3ilson.com>
 # Edited 30 Apr 2019 by Mike Eriksson <mike@swedishmike.org>
 
+PFSENSE %{MONTH}.%{MONTHDAY}.*%{TIME}.%{WORD:application}:.%{GREEDYDATA:msg}
+OPNSENSE %{MONTH}.%{MONTHDAY}.*%{TIME}.%{HOSTNAME}.%{WORD:application}:.%{GREEDYDATA:msg}
+
 PF_LOG_ENTRY %{PF_LOG_DATA}%{PF_IP_SPECIFIC_DATA}%{PF_IP_DATA}%{PF_PROTOCOL_DATA}?
 PF_LOG_DATA %{INT:event.code},%{INT:sub_rule}?,,%{INT:tracker},%{DATA:interface},%{WORD:event.outcome},%{WORD:event.action},%{WORD:network.direction},
 PF_IP_DATA %{INT:length},%{IP:source.ip},%{IP:destination.ip},
-- 
GitLab