Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- filter {
- # Pull out the Syslog Priority
- grok {
- named_captures_only => true
- match => { "message" => "<%{INT:syslog_pri}>" }
- }
- # Convert the syslog priority to human readable format
- syslog_pri { }
- # Check for syslog headers
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:source_host} %{SYSLOGPROG}" }
- add_tag => "syslogbase"
- }
- # If syslog headers are present, move the syslog message into a new field named syslog_message(to capture the original)
- # Rename the host field to host_ip to retain the host ip address
- # Replace the host field with the hostname acquired from %SYSLOGHOST
- # Remove the source_host field for the sake of brevity
- if ("syslogbase" in [tags]) {
- mutate {
- rename => ["message", "syslog_message"]
- rename => ["host", "host_ip"]
- rename => ["source_host", "host"]
- }
- # Apply the SYSLOG GROK to the message to parse out the syslog headers, then place the left overs
- # in message where we expect it to be.
- grok {
- match => ["syslog_message", "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST} %{PROG}(?:\[%{POSINT}\])?\S+ %{GREEDYDATA:message}"]
- add_tag => "sysloggrok"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement