Untitled

[root@JLM-DB-230 conf.d]# cat test.conf
input{
beats{
port => 5044
}
}
filter {
mutate {
        add_tag => [ "insidefilter" ]
      }

if [log][file][path] =~ "commands.log" {
grok{
match => { "message" => "\[(%{TIMESTAMP_ISO8601:sys_timestamp})\]\s(?<Hostname>[0-9a-zA-Z_-]+)\s(?<Logged as>[0-9a-zA-Z_-]+)\:USER=(?<User>[0-9a-zA-Z_-]+)\sPWD=(?<Directory>[0-9a-zA-Z_/-]+)\sPID=\[(?<PID>[0-9]+)\]\sCMD=\"(?<Command>.*)\"\sExit=\[(?<Exit>[0-9]+)\]\sCONNECTION=(?<Connetion>.*)"
}
}
}
}
output{
elasticsearch {
# manage_template => false
hosts => ["localhost:9200"]
index => "cleandata"
}
}