diff --git a/10-syslog(test).conf b/10-syslog(test).conf
new file mode 100644
index 0000000000000000000000000000000000000000..ecbf3542ac1c9e69d866ad3d0011b050b750dab9
--- /dev/null
+++ b/10-syslog(test).conf
@@ -0,0 +1,55 @@
+filter {  
+  if [type] == "syslog" {
+    #for multiple pfSense
+    #if [host] => ["192.168.0.1", "192.168.50.1", "192.168.100.1"]
+    #change to pfSense ip address
+    if [host] =~ /192\.168\.1\.1/ {
+      mutate {
+        add_tag => ["PFSense", "Ready"]
+      }
+    }
+    #if [host] =~ /192\.168\.100\.1/ {
+    #  mutate {
+    #    add_tag => ["PFSense#2", "Ready"]
+    #  }
+    #}
+    if "Ready" not in [tags] {
+      mutate {
+        add_tag => [ "syslog" ]
+      }
+    }
+  }
+}
+filter {  
+  if [type] == "syslog" {
+    mutate {
+      remove_tag => "Ready"
+    }
+  }
+}
+filter {  
+  if "syslog" in [tags] {
+    grok {
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
+      add_field => [ "received_at", "%{@timestamp}" ]
+      add_field => [ "received_from", "%{host}" ]
+    }
+    syslog_pri { }
+    date {
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM  dd HH:mm:ss" ]
+      locale => "en"
+    }
+    if !("_grokparsefailure" in [tags]) {
+      mutate {
+        replace => [ "@source_host", "%{syslog_hostname}" ]
+        replace => [ "@message", "%{syslog_message}" ]
+      }
+    }
+    mutate {
+      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
+    }
+#    if "_grokparsefailure" in [tags] {
+#      drop { }
+#    }
+  }
+}