Skip to content

Instantly share code, notes, and snippets.

@Howard-Chang
Last active February 8, 2018 09:53
Show Gist options
  • Save Howard-Chang/8cc2bce2ea48e95565c5ab829485d390 to your computer and use it in GitHub Desktop.
Save Howard-Chang/8cc2bce2ea48e95565c5ab829485d390 to your computer and use it in GitHub Desktop.
logstash-syslog
輔大 syslog.conf:
input {
udp {
port => 514
type => syslog
}
stdin{
type => stdin
}
}
filter {
grok {
match => { "message" => '%{SYSLOGTIMESTAMP} %{IPV4:iphost} date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{GREEDYDATA:fgtlogmsg}'
}
match => { "message" => '<%{NONNEGINT:syslog_pri}>%{GREEDYDATA:fgtlogmsg}'
}
}
if [type] == "syslog" {
kv {
source => "fgtlogmsg"
remove_field => [ "fgtlogmsg" ]
add_field => {
"Log_Type" => "syslog"
}
}
}
if [type] == "stdin" {
kv {
source => "fgtlogmsg"
remove_field => [ "fgtlogmsg" ]
add_field => {
"Log_Type" => "stdin"
}
}
}
mutate {
rename => { "srcip" => "IPV4_SRC_ADDR" }
rename => { "dstip" => "IPV4_DST_ADDR" }
rename => { "proto" => "PROTOCOL" }
rename => { "eventtime" => "LAST_SWITCHED" }
}
syslog_pri { }
if "_grokparsefailure" in [tags] {
drop { }
}
}
output {
elasticsearch { hosts => ["140.136.200.179:9200"] }
stdout { codec => rubydebug }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment