Untitled

input {
 file {
   path => "/home/htpcguides/syslog/*.log"
   start_position => "beginning"
   type => "syslog"
  }
}


filter {
if [type] =~ "syslog" {
 grok {
  pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
  type => "esxi"
 }
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

You are using a deprecated config setting "pattern" set in grok. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. You should use this instead: match => { "message" => "your pattern here" } If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"pattern", :plugin=><LogStash::Filters::Grok pattern=>["(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \\'%{DATA:esxi_service}\\'\\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"], type=>"esxi">, :level=>:warn}
Error: The setting `type` in plugin `grok` is obsolete and is no longer available. You can achieve this same behavior with the new conditionals, like: `if [type] == "sometype" { grok { ... } }`. If you have any questions about this, you are invited to visit https://discuss.elastic.co/c/logstash and ask.