Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- filter {
- if [type] == "syslog" {
- #change to pfSense ip address
- if [host] =~ /192\.168\.3\.254/ {
- mutate {
- add_tag => ["PFSense", "Ready"]
- }
- }
- if "Ready" not in [tags] {
- mutate {
- add_tag => [ "syslog" ]
- }
- }
- }
- }
- filter {
- if [type] == "syslog" {
- mutate {
- remove_tag => "Ready"
- }
- }
- }
- filter {
- if "syslog" in [tags] {
- grok {
- match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- date {
- match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
- locale => "en"
- }
- if !("_grokparsefailure" in [tags]) {
- mutate {
- replace => [ "@source_host", "%{syslog_hostname}" ]
- replace => [ "@message", "%{syslog_message}" ]
- }
- }
- mutate {
- remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
- }
- if "_grokparsefailure" in [tags] {
- drop { }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
