fetep · January 4, 2012 16:49
diff --git a/00-plain_conf b/00-plain_conf
 logstash config:

 input {
  stdin {
    type => "syslog"
  }
 }

 filter {
  grok {
    type => "syslog"
    pattern => ["%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} %{GREEDYDATA:message}"]
  }

  mutate {
    type => "syslog"
    replace => ["@source_host", "%{device}"]
  }
 }

 output {
  stdout {
    debug => true
  }
 }
diff --git a/00-plain_conf_output b/00-plain_conf_output
 {
         "@source" => "stdin://carrera.databits.net/",
           "@type" => "syslog",
           "@tags" => [],
         "@fields" => {
        "timestamp" => [
            [0] "Jan  4 07:48:13"
        ],
           "device" => [
            [0] "192.0.0.1"
        ],
          "message" => [
            [0] "date=2012-01-04 time=11:57:22 devname=FW_Per01 device_id=FG200B3910602487 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
        ]
    },
      "@timestamp" => "2012-01-04T16:41:58.526000Z",
    "@source_host" => "192.0.0.1",
    "@source_path" => "/",
        "@message" => "Jan  4 07:48:13 192.0.0.1 date=2012-01-04 time=11:57:22 devname=FW_Per01 device_id=FG200B3910602487 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
 }
diff --git a/01-fancy_conf b/01-fancy_conf
 the beginning of a fancier grok filter:

 input {
  stdin {
    type => "syslog"
  }
 }

 filter {
  grok {
    type => "syslog"
    pattern => [
      "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} date=%{DATA:date} time=%{DATA:time} devname=%{DATA:devname} device_id=%{DATA:device_id} log_id=%{DATA:log_id} type=%{DATA:type} subtype=%{DATA:subtype} %{GREEDYDATA:rest_of_message}",
      "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} %{GREEDYDATA:message}"
      ]
  }

  mutate {
    type => "syslog"
    replace => ["@source_host", "%{device}"]
  }
 }

 output {
  stdout {
    debug => true
  }
 }
diff --git a/01-fancy_conf_output b/01-fancy_conf_output
 {
         "@source" => "stdin://carrera.databits.net/",
           "@type" => "syslog",
           "@tags" => [],
         "@fields" => {
              "timestamp" => [
            [0] "Jan  4 07:48:13"
        ],
                 "device" => [
            [0] "192.0.0.1"
        ],
                   "date" => [
            [0] "2012-01-04"
        ],
                   "time" => [
            [0] "11:57:22"
        ],
                "devname" => [
            [0] "FW_Per01"
        ],
              "device_id" => [
            [0] "FG200B3910602487"
        ],
                 "log_id" => [
            [0] "0021000002"
        ],
                   "type" => [
            [0] "traffic"
        ],
                "subtype" => [
            [0] "allowed"
        ],
        "rest_of_message" => [
            [0] "pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
        ]
    },
      "@timestamp" => "2012-01-04T16:48:19.451000Z",
    "@source_host" => "192.0.0.1",
    "@source_path" => "/",
        "@message" => "Jan  4 07:48:13 192.0.0.1 date=2012-01-04 time=11:57:22 devname=FW_Per01 device_id=FG200B3910602487 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
 }
	logstash config:

	input {
	stdin {
	type => "syslog"
	}
	}

	filter {
	grok {
	type => "syslog"
	pattern => ["%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} %{GREEDYDATA:message}"]
	}

	mutate {
	type => "syslog"
	replace => ["@source_host", "%{device}"]
	}
	}

	output {
	stdout {
	debug => true
	}
	}
	{
	"@source" => "stdin://carrera.databits.net/",
	"@type" => "syslog",
	"@tags" => [],
	"@fields" => {
	"timestamp" => [
	[0] "Jan 4 07:48:13"
	],
	"device" => [
	[0] "192.0.0.1"
	],
	"message" => [
	[0] "date=2012-01-04 time=11:57:22 devname=FW_Per01 device_id=FG200B3910602487 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
	]
	},
	"@timestamp" => "2012-01-04T16:41:58.526000Z",
	"@source_host" => "192.0.0.1",
	"@source_path" => "/",
	"@message" => "Jan 4 07:48:13 192.0.0.1 date=2012-01-04 time=11:57:22 devname=FW_Per01 device_id=FG200B3910602487 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=\"root\" dir_disp=org tran_disp=snat src=192.0.0.15 srcname=192.0.0.15 src_port=23224 dst=138.108.7.20 dstname=138.108.7.20 dst_port=80 tran_ip=201.229.191.234 tran_port=54332 service=80/tcp proto=6 app_type=N/A duration=34 rule=13 policyid=13 identidx=0 sent=817 rcvd=586 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=\"N/A\" shaper_rcvd_name=\"N/A\" perip_name=\"N/A\" sent_pkt=4 rcvd_pkt=4 vpn=\"N/A\" src_int=\"port16\" dst_int=\"port5\" SN=3662352 app=\"N/A\" app_cat=\"N/A\" user=\"N/A\" group=\"N/A\" carrier_ep=\"N/A\""
	}
	the beginning of a fancier grok filter:

	input {
	stdin {
	type => "syslog"
	}
	}

	filter {
	grok {
	type => "syslog"
	pattern => [
	"%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} date=%{DATA:date} time=%{DATA:time} devname=%{DATA:devname} device_id=%{DATA:device_id} log_id=%{DATA:log_id} type=%{DATA:type} subtype=%{DATA:subtype} %{GREEDYDATA:rest_of_message}",
	"%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:device} %{GREEDYDATA:message}"
	]
	}

	mutate {
	type => "syslog"
	replace => ["@source_host", "%{device}"]
	}
	}

	output {
	stdout {
	debug => true
	}
	}