Logstash With OPENVPN config

1. #tcp syslog stream via 5140
2. input {
3. tcp {
4. type => "syslog"
5. port => 5140
6. }
7. }
8. #udp syslog stream via 5140
9. input {
10. udp {
11. type => "syslog"
12. port => 5140
13. }
14. }
15. filter {
16. if [type] == "syslog" {
17.  
18. #change to pfSense ip address
19. if [host] =~ /192\.168\.3\.254/ {
20. mutate {
21. add_tag => ["PFSense", "Ready"]
22. }
23. }
24.  
25. if "Ready" not in [tags] {
26. mutate {
27. add_tag => [ "syslog" ]
28. }
29. }
30. }
31. }
32. filter {
33. if [type] == "syslog" {
34. mutate {
35. remove_tag => "Ready"
36. }
37. }
38. }
39.  
40. filter {
41. if "syslog" in [tags] {
42. grok {
43. match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
44. add_field => [ "received_at", "%{@timestamp}" ]
45. add_field => [ "received_from", "%{host}" ]
46. }
47. syslog_pri { }
48. date {
49. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
50. locale => "en"
51. }
52.  
53. if !("_grokparsefailure" in [tags]) {
54. mutate {
55. replace => [ "@source_host", "%{syslog_hostname}" ]
56. replace => [ "@message", "%{syslog_message}" ]
57. }
58. }
59.  
60. mutate {
61. remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
62. }
63. # if "_grokparsefailure" in [tags] {
64. # drop { }
65. # }
66. }
67. }
68. filter {
69. if "PFSense" in [tags] {
70. grok {
71. add_tag => [ "firewall" ]
72. match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
73. }
74. mutate {
75. gsub => ["datetime"," "," "]
76. }
77. date {
78. match => [ "datetime", "MMM dd HH:mm:ss" ]
79. }
80. mutate {
81. replace => [ "message", "%{msg}" ]
82. }
83. mutate {
84. remove_field => [ "msg", "datetime" ]
85. }
86. }
87. if [prog] =~ /^filterlog$/ {
88. mutate {
89. remove_field => [ "msg", "datetime" ]
90. }
91. grok {
92. patterns_dir => "/opt/logstash/patterns"
93. match => [ "message", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
94. }
95. mutate {
96. lowercase => [ 'proto' ]
97. }
98. }
99. if "openvpn" in [prog] {
100. grok {
101. match => [ "message", "user \'%{WORD:openvpn_user}\'" ]
102. match => [ "message", "%{WORD:openvpn_user}/%{IP:openvpn_scr_ip}:%{INT:openvpn_scr_port} MULTI_sva: pool returned IPv4=%{IP:openvpn_ip}" ]
103. }
104. geoip {
105. add_tag => [ "GeoIP" ]
106. source => "src_ip"
107. target => "geoip"
108. database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
109. add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
110. add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
111. }
112. }
113. }
114. output {
115. elasticsearch { host => localhost }
116. stdout { codec => rubydebug }
117. }