tjrobinson · December 31, 2015 22:59
diff --git a/gistfile1.txt b/gistfile1.txt
 input {
    tcp {
        type   => "eventlog"
        host   => "10.1.1.2"
        port   => 3515
        format => 'json'
    }
 }
 

 filter {
 
 # Incoming Windows Event logs from nxlog
    # The EventReceivedTime field must contain only digits, or it is an invalid message
    grep {
        type              => "eventlog"
        match => [ "EventReceivedTime", "\d+" ]
    }
    mutate {
        # Lowercase some values that are always in uppercase
        type      => "eventlog"
        lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
    }
    mutate {
        # Set source to what the message says
        type   => "eventlog"
        rename => [ "Hostname", "@source_host" ]
    }
    date {
        # Convert timestamp from integer in UTC
        type              => "eventlog"
        EventReceivedTime => "UNIX"
    }
    mutate {
        # Rename some fields into something more useful
        type   => "eventlog"
        rename => [ "Message", "@message" ]
        rename => [ "Severity", "eventlog_severity" ]
        rename => [ "SeverityValue", "eventlog_severity_code" ]
        rename => [ "Channel", "eventlog_channel" ]
        rename => [ "SourceName", "eventlog_program" ]
        rename => [ "SourceModuleName", "nxlog_input" ]
        rename => [ "Category", "eventlog_category" ]
        rename => [ "EventID", "eventlog_id" ]
        rename => [ "RecordNumber", "eventlog_record_number" ]
        rename => [ "ProcessID", "eventlog_pid" ]
    }
    mutate {
        # Remove redundant fields
        type   => "eventlog"
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
    }
 }









 output {
  stdout { debug => true debug_format => "json"}

  elasticsearch {
    cluster => "Mint16ES"
    tags => "remote_syslog"
  }
 }
	input {
	tcp {
	type => "eventlog"
	host => "10.1.1.2"
	port => 3515
	format => 'json'
	}
	}


	filter {

	# Incoming Windows Event logs from nxlog
	# The EventReceivedTime field must contain only digits, or it is an invalid message
	grep {
	type => "eventlog"
	match => [ "EventReceivedTime", "\d+" ]
	}
	mutate {
	# Lowercase some values that are always in uppercase
	type => "eventlog"
	lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
	}
	mutate {
	# Set source to what the message says
	type => "eventlog"
	rename => [ "Hostname", "@source_host" ]
	}
	date {
	# Convert timestamp from integer in UTC
	type => "eventlog"
	EventReceivedTime => "UNIX"
	}
	mutate {
	# Rename some fields into something more useful
	type => "eventlog"
	rename => [ "Message", "@message" ]
	rename => [ "Severity", "eventlog_severity" ]
	rename => [ "SeverityValue", "eventlog_severity_code" ]
	rename => [ "Channel", "eventlog_channel" ]
	rename => [ "SourceName", "eventlog_program" ]
	rename => [ "SourceModuleName", "nxlog_input" ]
	rename => [ "Category", "eventlog_category" ]
	rename => [ "EventID", "eventlog_id" ]
	rename => [ "RecordNumber", "eventlog_record_number" ]
	rename => [ "ProcessID", "eventlog_pid" ]
	}
	mutate {
	# Remove redundant fields
	type => "eventlog"
	remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
	}
	}









	output {
	stdout { debug => true debug_format => "json"}

	elasticsearch {
	cluster => "Mint16ES"
	tags => "remote_syslog"
	}
	}