Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- udp {
- port => 5000
- codec => json
- }
- tcp {
- port => 5000
- codec => json
- }
- }
- filter {
- grok {
- match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:ver} +(?:%{TIMESTAMP_ISO8601:ts}|-) +(?:%{HOSTNAME:service}|-) +(?:%{NOTSPACE:containerName}|-) +(?:%{NOTSPACE:proc}|-) +(?:%{WORD:msgid}|-) +(?:%{SYSLOG5424SD:sd}|-|) +%{GREEDYDATA:msg}" }
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- }
- mutate {
- remove_field => [ "message", "priority", "ts", "severity", "facility", "facility_label", "severity_label", "syslog5424_pri", "proc", "syslog_severity_code", "syslog_facility_code", "syslog_facility", "syslog_severity", "syslog_hostname", "syslog_message", "syslog_timestamp", "ver" ]
- }
- mutate {
- remove_tag => [ "_grokparsefailure_sysloginput" ]
- }
- mutate {
- gsub => [
- "service", "[0123456789-]", ""
- ]
- }
- if [msg] =~ "^ *{" {
- json {
- source => "msg"
- }
- if "_jsonparsefailure" in [tags] {
- drop {}
- }
- mutate {
- remove_field => [ "msg" ]
- }
- }
- else { drop{} }
- if ("" in [msg]) {
- mutate {
- rename => { "msg" => "message" }
- }
- }
- mutate {
- remove_field => [ "tags" ]
- }
- }
- output {
- stdout {}
- elasticsearch {
- hosts => "elastic:9200"
- user => "elastic"
- password => "changeme"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
