Tony Mack | dc98185 | 2016-03-12 14:13:24 +0000 | [diff] [blame] | 1 | filter { |
2 | if [type] == “syslog” { | ||||
3 | grok { | ||||
4 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } | ||||
5 | add_field => [ "received_at", "%{@timestamp}" ] | ||||
6 | add_field => [ "received_from", "%{host}" ] | ||||
7 | } | ||||
8 | syslog_pri { } | ||||
9 | date { | ||||
10 | match => [ “syslog_timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ] | ||||
11 | } | ||||
12 | } | ||||
13 | } |