diff --git a/10-syslog(test).conf b/10-syslog(test).conf new file mode 100644 index 0000000000000000000000000000000000000000..ecbf3542ac1c9e69d866ad3d0011b050b750dab9 --- /dev/null +++ b/10-syslog(test).conf @@ -0,0 +1,55 @@ +filter { + if [type] == "syslog" { + #for multiple pfSense + #if [host] => ["192.168.0.1", "192.168.50.1", "192.168.100.1"] + #change to pfSense ip address + if [host] =~ /192\.168\.1\.1/ { + mutate { + add_tag => ["PFSense", "Ready"] + } + } + #if [host] =~ /192\.168\.100\.1/ { + # mutate { + # add_tag => ["PFSense#2", "Ready"] + # } + #} + if "Ready" not in [tags] { + mutate { + add_tag => [ "syslog" ] + } + } + } +} +filter { + if [type] == "syslog" { + mutate { + remove_tag => "Ready" + } + } +} +filter { + if "syslog" in [tags] { + grok { + match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } + add_field => [ "received_at", "%{@timestamp}" ] + add_field => [ "received_from", "%{host}" ] + } + syslog_pri { } + date { + match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] + locale => "en" + } + if !("_grokparsefailure" in [tags]) { + mutate { + replace => [ "@source_host", "%{syslog_hostname}" ] + replace => [ "@message", "%{syslog_message}" ] + } + } + mutate { + remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ] + } +# if "_grokparsefailure" in [tags] { +# drop { } +# } + } +}