| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- input {
- syslog {
- type => syslog
- port => 5544
- }
- file {
- type => "syslog"
- path => "/var/log/messages"
- start_position => "beginning"
- }
- # lumberjack {
- # # The port to listen on
- # port => 12345
- #
- # # The paths to your ssl cert and key
- # ssl_certificate => "/etc/logstash/logstash-forwarder.crt"
- # ssl_key => "/etc/logstash/logstash-forwarder.key"
- #
- # # Set this to whatever you want.
- # type => "logs"
- # }
- }
- filter {
- if [type] == "syslog" {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} (%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}|%{GREEDYDATA:syslog_message})" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{@source_host}" ]
- }
- if !("_grokparsefailure" in [tags]) {
- mutate {
- replace => [ "@source_host", "%{syslog_hostname}" ]
- replace => [ "@message", "%{syslog_message}" ]
- }
- }
- mutate {
- remove_field => [ "syslog_hostname", "syslog_message" ]
- }
- date {
- match => [ "syslog_timestamp","MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
- }
- syslog_pri { }
- }
- }
- output {
- elasticsearch {
- hosts => ["localhost"]
- }
- }
|
