Advertisement
killmasta93

Logstash Without OPENVPN config

Jun 27th, 2016
423
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #tcp syslog stream via 5140
  2. input {
  3. tcp {
  4. type => "syslog"
  5. port => 5140
  6. }
  7. }
  8. #udp syslog stream via 5140
  9. input {
  10. udp {
  11. type => "syslog"
  12. port => 5140
  13. }
  14. }
  15. filter {
  16. if [type] == "syslog" {
  17.  
  18. #change to pfSense ip address
  19. if [host] =~ /192\.168\.3\.254/ {
  20. mutate {
  21. add_tag => ["PFSense", "Ready"]
  22. }
  23. }
  24.  
  25. if "Ready" not in [tags] {
  26. mutate {
  27. add_tag => [ "syslog" ]
  28. }
  29. }
  30. }
  31. }
  32. filter {
  33. if [type] == "syslog" {
  34. mutate {
  35. remove_tag => "Ready"
  36. }
  37. }
  38. }
  39.  
  40. filter {
  41. if "syslog" in [tags] {
  42. grok {
  43. match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  44. add_field => [ "received_at", "%{@timestamp}" ]
  45. add_field => [ "received_from", "%{host}" ]
  46. }
  47. syslog_pri { }
  48. date {
  49. match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
  50. locale => "en"
  51. }
  52.  
  53. if !("_grokparsefailure" in [tags]) {
  54. mutate {
  55. replace => [ "@source_host", "%{syslog_hostname}" ]
  56. replace => [ "@message", "%{syslog_message}" ]
  57. }
  58. }
  59.  
  60. mutate {
  61. remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
  62. }
  63. # if "_grokparsefailure" in [tags] {
  64. # drop { }
  65. # }
  66. }
  67. }
  68. filter {
  69. if "PFSense" in [tags] {
  70. grok {
  71. add_tag => [ "firewall" ]
  72. match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
  73. }
  74. mutate {
  75. gsub => ["datetime"," "," "]
  76. }
  77. date {
  78. match => [ "datetime", "MMM dd HH:mm:ss" ]
  79. }
  80. mutate {
  81. replace => [ "message", "%{msg}" ]
  82. }
  83. mutate {
  84. remove_field => [ "msg", "datetime" ]
  85. }
  86. }
  87. if [prog] =~ /^filterlog$/ {
  88. mutate {
  89. remove_field => [ "msg", "datetime" ]
  90. }
  91. grok {
  92. patterns_dir => "/opt/logstash/patterns"
  93. match => [ "message", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
  94. }
  95. mutate {
  96. lowercase => [ 'proto' ]
  97. }
  98. geoip {
  99. add_tag => [ "GeoIP" ]
  100. source => "src_ip"
  101. target => "geoip"
  102. database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
  103. add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
  104. add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
  105. }
  106. }
  107. }
  108. output {
  109. elasticsearch { host => localhost }
  110. stdout { codec => rubydebug }
  111. }
Advertisement
RAW Paste Data Copied
Advertisement