input { beats { port => 5044 host => "0.0.0.0" ssl => true

1. input {
2. beats {
3. port => 5044
4. host => "0.0.0.0"
5. ssl => true
6. ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
7. ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
8. }
9. }
10. filter {
11. grok {
12. match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
13. "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
14. remove_field => "message"
15. }
16. mutate {
17. add_field => { "read_timestamp" => "%{@timestamp}" }
18. }
19. date {
20. match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
21. remove_field => "[apache2][access][time]"
22. }
23. useragent {
24. source => "[apache2][access][agent]"
25. target => "[apache2][access][user_agent]"
26. remove_field => "[apache2][access][agent]"
27. }
28. geoip {
29. source => "[apache2][access][remote_ip]"
30. target => "[apache2][access][geoip]"
31. }
32. }
33. output {
34. elasticsearch {
35. hosts => localhost
36. manage_template => false
37. index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
38. document_type => "%{[@metadata][type]}"
39. }
40. }