Private GIT

Skip to content
Snippets Groups Projects
Unverified Commit 9ff06bb1 authored by Andrew's avatar Andrew Committed by GitHub
Browse files

Update 05-syslog.conf

parent e9f73c3b
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 2 additions and 31 deletions
conf.d/05-syslog.conf
+ 2
31
View file @ 9ff06bb1
...@@ -6,12 +6,13 @@ filter { ...@@ -6,12 +6,13 @@ filter {
add_tag => ["pf", "Ready"] add_tag => ["pf", "Ready"]
} }
} }
#Second instance - add and repeat this for multiple syslogs
if [host] =~ /192\.168\.1\.1/ { if [host] =~ /192\.168\.1\.1/ {
mutate { mutate {
add_tag => ["pf-2", "Ready"] add_tag => ["pf-2", "Ready"]
} }
} }
#Second instance
if "Ready" not in [tags] { if "Ready" not in [tags] {
mutate { mutate {
add_tag => [ "syslog" ] add_tag => [ "syslog" ]
...@@ -19,33 +20,3 @@ filter { ...@@ -19,33 +20,3 @@ filter {
} }
} }
} }
filter {
if [type] == "syslog" {
mutate {
remove_tag => "Ready"
}
}
}
filter {
if "syslog" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
locale => "en"
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
}
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Another place to be (or not)