Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- if [type] == "syslog" {
- grok {
- break_on_match => true
- match => { "message" => "<%{POSINT:syslog_pri}>%{POSINT:syslog_pid}: %{NOTSPACE:syslog_hostname}\: %{WORD:month} (?: )%{POSINT:day} %{TIME:time}\: \%%{GREEDYDATA:the_message}" }
- match => { "message" => "<%{POSINT:syslog_pri}>%{MONTH} ?( )%{MONTHDAY} %{TIME} %{NOTSPACE:my_hostname} %{WORD}: \[%{NOTSPACE:rulename}\]IN=%{NOTSPACE:inbound_interface} OUT=%{NOTSPACE:outbound_interface}( MAC=(?:(?:[A-Fa-f0-9]{2}:){13}[A-Fa-f0-9]{2}))? SRC=%{IPV4:src} DST=%{IPV4:dst} %{GREEDYDATA:the_message}" }
- match => { "message" => "%{GREEDYDATA:the_message}" }
- match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} \(%{DATA},%{DATA:ap_mac},%{DATA:version}\) %{DATA:program}: %{DATA:interface}: %{DATA:messagetype} %{MAC:client_mac} %{DATA:encryption}: %{DATA:the_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- }
Advertisement
Add Comment
Please, Sign In to add comment
