From 9ff06bb13ebefb57898418aa084a9da4a7e94e6e Mon Sep 17 00:00:00 2001
From: Andrew <a@3ilson.com>
Date: Mon, 30 Sep 2019 21:56:32 -0400
Subject: [PATCH] Update 05-syslog.conf

---
 conf.d/05-syslog.conf | 33 ++-------------------------------
 1 file changed, 2 insertions(+), 31 deletions(-)

diff --git a/conf.d/05-syslog.conf b/conf.d/05-syslog.conf
index 827cae7..acc3d66 100644
--- a/conf.d/05-syslog.conf
+++ b/conf.d/05-syslog.conf
@@ -6,12 +6,13 @@ filter {
         add_tag => ["pf", "Ready"]
       }
     }
+    #Second instance - add and repeat this for multiple syslogs
     if [host] =~ /192\.168\.1\.1/ {
       mutate {
         add_tag => ["pf-2", "Ready"]
       }
     }
-
+    #Second instance
     if "Ready" not in [tags] {
       mutate {
         add_tag => [ "syslog" ]
@@ -19,33 +20,3 @@ filter {
     }
   }
 }
-filter {
-  if [type] == "syslog" {
-    mutate {
-      remove_tag => "Ready"
-    }
-  }
-}
-filter {
-  if "syslog" in [tags] {
-    grok {
-      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
-      add_field => [ "received_at", "%{@timestamp}" ]
-      add_field => [ "received_from", "%{host}" ]
-    }
-    syslog_pri { }
-    date {
-      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
-      locale => "en"
-    }
-    if !("_grokparsefailure" in [tags]) {
-      mutate {
-        replace => [ "@source_host", "%{syslog_hostname}" ]
-        replace => [ "@message", "%{syslog_message}" ]
-      }
-    }
-    mutate {
-      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
-    }
-  }
-}
-- 
GitLab