mhubig · February 5, 2025 11:55 · Finkregh · Apr 17, 2013
diff --git a/apt-config.conf b/apt-config.conf
 input {
  tcp {
    type => "apt-history"
    port => 3333
  }
 }

 filter {

  # First, glue all lines together into one event!
  multiline {
    type    => "apt-history"
    pattern => "^\n"
    negate  => true
    what    => "previous"
  }

  # Get date and time from Start-Date and save to startdate field!
  grok {
    type    => "apt-history"
    singles   => true
    pattern   => "^\n\nStart-Date: %{DATE_EU:s_date}  %{TIME:s_time}"
    add_field => [ "startdate", "%{s_date} %{s_time}" ]}

  # Put the APT Commandline into the commandline field!
  grok {
    type    => "apt-history"
    singles => true
    pattern => "\n\nCommandline: %{DATA:commandline}\n\n"
  }

  # If an "install" is found, add a tag and fill the packages field!
  grok {
    type    => "apt-history"
    singles => true
    pattern => "\n\nInstall: %{DATA:packages}\n\n"
    add_tag => [ "install" ]
    tag_on_failure => false
  }

  # If an "upgrade" is found, add a tag and fill the packages field!
  grok {
    type    => "apt-history"
    singles => true
    pattern => "\n\nUpgrade: %{DATA:packages}\n\n"
    add_tag => [ "upgrade" ]
    tag_on_failure => false
  }

  # If an "error" is found, add tag and fill the error field!
  grok {
    type    => "apt-history"
    singles => true
    pattern => "\n\nError: %{DATA:error}\n\n"
    add_tag => [ "error" ]
    tag_on_failure => false
  }

  # Split the packages field into an array
  mutate {
    type  => "apt-history"
    gsub  => [ "packages", "\),", ") ###" ]
    split => [ "packages", " ### "]
  }

  # Get date and time from End-Date and save to enddate!
  grok {
    type      => "apt-history"
    singles   => true
    pattern   => "\n\nEnd-Date: %{DATE_EU:e_date}  %{TIME:e_time}"
    add_field => [ "enddate", "%{e_date} %{e_time}" ]
  }

  # Remove time/date fields only previously added for parsing.
  mutate {
    type   => "apt-history"
    remove => [ "s_time", "s_date", "e_time", "e_date" ]
  }

  # Set the timestamp to the startdate!
  date {
    type  => "apt-history"
    match => [ "startdate", "YYYY-MM-dd HH:mm:ss" ]
  }
 }

 output {
  stdout {
    debug => true
  }
 }
	input {
	tcp {
	type => "apt-history"
	port => 3333
	}
	}

	filter {

	# First, glue all lines together into one event!
	multiline {
	type => "apt-history"
	pattern => "^\n"
	negate => true
	what => "previous"
	}

	# Get date and time from Start-Date and save to startdate field!
	grok {
	type => "apt-history"
	singles => true
	pattern => "^\n\nStart-Date: %{DATE_EU:s_date} %{TIME:s_time}"
	add_field => [ "startdate", "%{s_date} %{s_time}" ]}

	# Put the APT Commandline into the commandline field!
	grok {
	type => "apt-history"
	singles => true
	pattern => "\n\nCommandline: %{DATA:commandline}\n\n"
	}

	# If an "install" is found, add a tag and fill the packages field!
	grok {
	type => "apt-history"
	singles => true
	pattern => "\n\nInstall: %{DATA:packages}\n\n"
	add_tag => [ "install" ]
	tag_on_failure => false
	}

	# If an "upgrade" is found, add a tag and fill the packages field!
	grok {
	type => "apt-history"
	singles => true
	pattern => "\n\nUpgrade: %{DATA:packages}\n\n"
	add_tag => [ "upgrade" ]
	tag_on_failure => false
	}

	# If an "error" is found, add tag and fill the error field!
	grok {
	type => "apt-history"
	singles => true
	pattern => "\n\nError: %{DATA:error}\n\n"
	add_tag => [ "error" ]
	tag_on_failure => false
	}

	# Split the packages field into an array
	mutate {
	type => "apt-history"
	gsub => [ "packages", "\),", ") ###" ]
	split => [ "packages", " ### "]
	}

	# Get date and time from End-Date and save to enddate!
	grok {
	type => "apt-history"
	singles => true
	pattern => "\n\nEnd-Date: %{DATE_EU:e_date} %{TIME:e_time}"
	add_field => [ "enddate", "%{e_date} %{e_time}" ]
	}

	# Remove time/date fields only previously added for parsing.
	mutate {
	type => "apt-history"
	remove => [ "s_time", "s_date", "e_time", "e_date" ]
	}

	# Set the timestamp to the startdate!
	date {
	type => "apt-history"
	match => [ "startdate", "YYYY-MM-dd HH:mm:ss" ]
	}
	}

	output {
	stdout {
	debug => true
	}
	}