Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- udp {
- port => 5000
- type => "ciscoasa"
- }
- }
- filter {
- if [type] == "ciscoasa" {
- grok {
- patterns_dir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.2/patterns"
- match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]
- }
- date {
- match => ["timestamp",
- "MMM dd HH:mm:ss",
- "MMM d HH:mm:ss",
- "MMM dd yyyy HH:mm:ss",
- "MMM d yyyy HH:mm:ss"
- ]
- timezone => "Europe/Brussels"
- }
- # Clean up redundant fields if parsing was successful
- if "_grokparsefailure" not in [tags] {
- mutate {
- rename => ["cisco_message", "message"]
- remove_field => ["timestamp"]
- }
- }
- syslog_pri { }
- }
- }
- output {
- if [type] == "ciscoasa" {
- if "_grokparsefailure" in [tags] or "_dateparsefailure" in [tags] {
- stdout { codec => rubydebug }
- file {
- path => "/var/log/logstash/failed_ciscoasa_events-%{+YYYY-MM-dd}"
- codec => "json_lines"
- }
- } else {
- elasticsearch {
- hosts => localhost
- index => "ciscoasa-%{+YYYY.MM.dd}"
- user => "--------"
- password => "-------"
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
