Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #tcp syslog stream via 5140
- input {
- tcp {
- type => "syslog"
- port => 5140
- }
- }
- #udp syslog stream via 5140
- input {
- udp {
- type => "syslog"
- port => 5140
- }
- }
- filter {
- if [type] == "syslog" {
- #change to pfSense ip address
- if [host] =~ /192\.168\.3\.254/ {
- mutate {
- add_tag => ["PFSense", "Ready"]
- }
- }
- if "Ready" not in [tags] {
- mutate {
- add_tag => [ "syslog" ]
- }
- }
- }
- }
- filter {
- if [type] == "syslog" {
- mutate {
- remove_tag => "Ready"
- }
- }
- }
- filter {
- if "syslog" in [tags] {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- locale => "en"
- }
- if !("_grokparsefailure" in [tags]) {
- mutate {
- replace => [ "@source_host", "%{syslog_hostname}" ]
- replace => [ "@message", "%{syslog_message}" ]
- }
- }
- mutate {
- remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
- }
- # if "_grokparsefailure" in [tags] {
- # drop { }
- # }
- }
- }
- filter {
- if "PFSense" in [tags] {
- grok {
- add_tag => [ "firewall" ]
- match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
- }
- mutate {
- gsub => ["datetime"," "," "]
- }
- date {
- match => [ "datetime", "MMM dd HH:mm:ss" ]
- }
- mutate {
- replace => [ "message", "%{msg}" ]
- }
- mutate {
- remove_field => [ "msg", "datetime" ]
- }
- }
- if [prog] =~ /^filterlog$/ {
- mutate {
- remove_field => [ "msg", "datetime" ]
- }
- grok {
- patterns_dir => "/opt/logstash/patterns"
- match => [ "message", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
- }
- mutate {
- lowercase => [ 'proto' ]
- }
- }
- if "openvpn" in [prog] {
- grok {
- match => [ "message", "user \'%{WORD:openvpn_user}\'" ]
- match => [ "message", "%{WORD:openvpn_user}/%{IP:openvpn_scr_ip}:%{INT:openvpn_scr_port} MULTI_sva: pool returned IPv4=%{IP:openvpn_ip}" ]
- }
- geoip {
- add_tag => [ "GeoIP" ]
- source => "src_ip"
- target => "geoip"
- database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- }
- }
- output {
- elasticsearch { host => localhost }
- stdout { codec => rubydebug }
- }
Add Comment
Please, Sign In to add comment