- if [type] == "syslog" {
- grok {
- break_on_match => true
- match => { "message" => "<%{POSINT:syslog_pri}>%{POSINT:syslog_pid}: %{NOTSPACE:syslog_hostname}\: %{WORD:month} (?: )%{POSINT:day} %{TIME:time}\: \%%{GREEDYDATA:the_message}" }
- match => { "message" => "<%{POSINT:syslog_pri}>%{MONTH} ?( )%{MONTHDAY} %{TIME} %{NOTSPACE:my_hostname} %{WORD}: \[%{NOTSPACE:rulename}\]IN=%{NOTSPACE:inbound_interface} OUT=%{NOTSPACE:outbound_interface}( MAC=(?:(?:[A-Fa-f0-9]{2}:){13}[A-Fa-f0-9]{2}))? SRC=%{IPV4:src} DST=%{IPV4:dst} %{GREEDYDATA:the_message}" }
- match => { "message" => "%{GREEDYDATA:the_message}" }
- match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP} \(%{DATA},%{DATA:ap_mac},%{DATA:version}\) %{DATA:program}: %{DATA:interface}: %{DATA:messagetype} %{MAC:client_mac} %{DATA:encryption}: %{DATA:the_message}" }
- add_field => [ "received_at", "%{@timestamp}" ]
- add_field => [ "received_from", "%{host}" ]
- }
- syslog_pri { }
- }
SHARE
TWEET
Untitled
a guest
Jan 29th, 2015
180
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.