Created
November 18, 2014 13:51
-
-
Save clay584/7b19b6b2a59c1c7036a0 to your computer and use it in GitHub Desktop.
gsub issue config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { [12/1185] | |
| file { | |
| path => ["/var/log/network.log"] | |
| sincedb_path => "/var/log/logstash" | |
| start_position => "beginning" | |
| type => "syslog" | |
| tags => [ "netsyslog" ] | |
| } | |
| udp { | |
| type => "netflow" | |
| tags => [ "nProbe" ] | |
| port => 2055 | |
| codec => netflow { | |
| } | |
| } | |
| } #end input block | |
| filter { | |
| if [type] == "syslog" { | |
| grok { | |
| #strips timestamp and host off of the front of the syslog message leaving the raw message generated by the syslog client and saves it as "raw_message" | |
| patterns_dir => "/opt/logstash/patterns" | |
| match => [ "message", "%{TIMESTAMP_ISO8601:syslog_datetime} %{IPORHOST:syslog_host} %{POSINT}?: %{WORD} %{POSINT} %{TIME}: %%{WORD:facility}-%{POSINT:severity}-%{NOTSPACE:mneumonic}: %{GREEDYDATA:raw_ | |
| message}", | |
| "message", "%{TIMESTAMP_ISO8601:syslog_datetime} %{IPORHOST:syslog_host} : %{YEAR} %{SYSLOGTIMESTAMP} %{TZ}: %%{WORD:facility}-%{POSINT:severity}-%{NOTSPACE:mneumonic}: %{GREEDYDATA:raw_mes | |
| sage}", | |
| "message", "%{TIMESTAMP_ISO8601:syslog_datetime} %{IPORHOST:syslog_host} : %%{WORD:facility}-%{POSINT:severity}-%{NOTSPACE:mneumonic}: %{GREEDYDATA:raw_message}" ] | |
| # "message", "%{TIMESTAMP_ISO8601:syslog_datetime} %{IPORHOST:syslog_host} %{GREEDYDATA:raw_message}" ] | |
| add_tag => [ "grok_ran" ] | |
| } | |
| date { | |
| match => [ "syslog_datetime", "ISO8601" ] | |
| } | |
| } | |
| if "grok_ran" in [tags] and "_grokparsefailure" not in [tags] { | |
| mutate { | |
| remove_field => [ "message", "syslog_datetime" ] | |
| } | |
| } | |
| if [type] == "netflow" { | |
| date { | |
| match => [ "netflow.first_switched", "ISO8601" ] | |
| } | |
| mutate { | |
| gsub => [ "netflow.protocol", "6", "TCP" ] | |
| gsub => [ "netflow.protocol", "17", "UDP" ] | |
| gsub => [ "netflow.protocol", "1", "ICMP" ] | |
| } | |
| noop { | |
| add_tag => [ "netflow_if_statement_hit" ] | |
| } | |
| } | |
| } #end filter block | |
| output { | |
| elasticsearch { | |
| protocol => "node" | |
| host => "127.0.0.1" | |
| cluster => "elasticsearch" | |
| } | |
| } #end output block |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment