bbybblank · April 11, 2017 13:55
diff --git a/gistfile1.txt b/gistfile1.txt
 input {
  tcp {
    port => 5140
  }
  udp {
    port => 5140
  }
 }

 filter {
 	grok {
 		match => { "message" => "<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}" }
 	}
 	date {
 		match => [ "syslog_timestamp", "yyyy:MM:dd-HH:mm:ss" ]
 	}
 	kv {
 		source => "syslog_message"
 	}
 	mutate {
 		replace => [ "type", "%{syslog_program}" ]
 		remove_field  => [ "syslog_message", "syslog_timestamp" ]
 	}

 	if [type] == "httpproxy" {
 		grok { match => { "url" => "(?<protocol>https?)://%{IPORHOST:url_domain}/" } }

 	}

 		
 } # end of filter

 output {

 	elasticsearch {
 		hosts => ["localhost:9200"]
 		index => "utm-%{+YYYY.MM.dd}"

 	}

 #	stdout { codec => rubydebug }
 }
	input {
	tcp {
	port => 5140
	}
	udp {
	port => 5140
	}
	}

	filter {
	grok {
	match => { "message" => "<%{POSINT:syslog_pri}>%{DATA:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}" }
	}
	date {
	match => [ "syslog_timestamp", "yyyy:MM:dd-HH:mm:ss" ]
	}
	kv {
	source => "syslog_message"
	}
	mutate {
	replace => [ "type", "%{syslog_program}" ]
	remove_field => [ "syslog_message", "syslog_timestamp" ]
	}

	if [type] == "httpproxy" {
	grok { match => { "url" => "(?<protocol>https?)://%{IPORHOST:url_domain}/" } }

	}


	} # end of filter

	output {

	elasticsearch {
	hosts => ["localhost:9200"]
	index => "utm-%{+YYYY.MM.dd}"

	}

	# stdout { codec => rubydebug }
	}