Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- tcp {
- port => 3515
- host => "192.168.168.168"
- type => "WindowsEventLog"
- codec => "line"
- }
- tcp {
- port => 3516
- host => "192.168.168.168"
- type => "Exchange"
- }
- tcp {
- port => 3517
- host => "192.168.168.168"
- type => "EXIIS"
- }
- }
- filter {
- if [type] == "WindowsEventLog" {
- json{
- source => "message"
- }
- mutate {
- replace => [ "message", "%{Message}" ]
- }
- mutate {
- lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
- }
- mutate {
- rename => [ "Hostname", "logsource" ]
- }
- date {
- match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
- }
- if [SubjectUserName] =~ "." {
- mutate {
- replace => [ "AccountName", "%{SubjectUserName}" ]
- }
- }
- if [TargetUserName] =~ "." {
- mutate {
- replace => [ "AccountName", "%{TargetUserName}" ]
- }
- }
- if [FileName] =~ "." {
- mutate {
- replace => [ "eventlog_channel", "%{FileName}" ]
- }
- }
- mutate {
- lowercase => [ "AccountName", "eventlog_channel" ]
- }
- mutate {
- remove => [ "SourceModuleType", "EventTimeWritten", "EventReceivedTime", "EventType" ]
- }
- }
- # For Exchange Message Tracking
- if [type] == "Exchange" {
- csv {
- add_tag => [ 'exh_msg_trk' ]
- columns => [ 'date-time', 'client-ip', 'client-hostname', 'server-ip', 'server-hostname', 'source-context', 'connector-id', 'source', 'event-id', 'internal-message-id', 'message-id', 'recipient-address', 'recipient-status', 'total-bytes', 'recipient-count', 'related-recipient-address', 'reference', 'message-subject', 'sender-address', 'return-path', 'message-info', 'directionality', 'tenant-id', 'original-client-ip', 'original-server-ip', 'custom-data' ]
- remove_field => [ "date-time" ]
- }
- grok {
- match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ]
- }
- mutate {
- convert => [ "total-bytes", "integer" ]
- convert => [ "recipient-count", "integer" ]
- split => ["recipient-address", ";"]
- split => [ "source-context", ";" ]
- split => [ "custom-data", ";" ]
- }
- date {
- match => [ "timestamp", "ISO8601" ]
- timezone => "America/Los_Angeles"
- remove_field => [ "timestamp" ]
- }
- if "_grokparsefailure" in [tags] {
- drop { }
- }
- }
- # For Exchange IIS
- if [type] == "EXIIS" {
- csv {
- separator => [ " " ]
- add_tag => [ 'exh_iis' ]
- columns => [ 'date', 'time', 's-ip', 'cs-method', 'cs-uri-stem', 'cs-uri-query', 's-port', 'cs-username', 'c-ip', 'csUser-Agent', 'sc-status', 'sc-substatus', 'sc-win32-status', 'time-taken' ]
- }
- }
- }
- output {
- rabbitmq {
- host = "192.168.168.168"
- exchange_type => direct
- key => "logstash"
- durable => "true"
- persistent => "true"
- exchange => "logstash"
- user => "billy"
- password => "badass"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement