Advertisement
Guest User

Untitled

a guest
Feb 20th, 2017
77
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. filter {
  2. if [type] == "proxy_bluecoat" {
  3. # drop comment lines
  4. if ([message] =~ /^#/) {
  5. drop{}
  6. }
  7. csv {
  8. columns => ["date", "time", "time_taken", "c_ip", "sc_status", "s_action", "sc_bytes", "cs_bytes", "cs_method", "cs_uri_scheme", "cs_host", "cs_uri_port", "cs_uri_path", "cs_uri_query", "cs_username", "s_supplier_name", "rs_content_type", "cs_referer", "cs_user_agent", "sc_filter_result", "cs_categories", "s_ip", "r_dns", "r_ip", "x_cs_dns"]
  9. separator => " "
  10. }
  11. if [timestamp] {
  12. date {
  13. match => ["timestamp", "YYYY-MM-dd HH:mm:ss" ]
  14. }
  15. } else if [gmttime] {
  16. date {
  17. match => ["gmttime", "dd/MM/YYYY:HH:mm:ss' GMT'"]
  18. timezone => ['UTC']
  19. }
  20. } else if [localtime] {
  21. date { match => ["localtime", "[dd/MMM/YYYY:HH:mm:ss Z]"] }
  22. } else if [date] and [time] {
  23. mutate { merge => ["date", "time"] }
  24. mutate { join => ["date", " "] }
  25. date {
  26. match => ["date", "YYYY-MM-dd HH:mm:ss" ]
  27. timezone => ['UTC']
  28. }
  29. }
  30. if ([s_supplier_ip] and [s_supplier_ip] != "-") {
  31. geoip {
  32. source => "s_supplier_ip"
  33. }
  34. }
  35. mutate {
  36. convert => ["sc_bytes", "integer",
  37. "time_taken", "integer",
  38. "r_port", "integer",
  39. "s_port", "integer",
  40. "cs_bytes", "integer",
  41. "duration", "integer"
  42. ]
  43. }
  44.  
  45. if [cs_user_agent] != "" {
  46. useragent { source => "cs_user_agent" prefix => "user_agent." }
  47. }
  48.  
  49. mutate {
  50. remove_field => ["message", "host", "date", "time", "timestamp", "gmttime", "localtime"]
  51. }
  52. }
  53. }
Advertisement
RAW Paste Data Copied
Advertisement