java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode
logstash-core-1.5.0.rc4
basic config.
3 files do filtering and inputs based on port number
1 file that handles the output. Here is a sample of the input file and the output file:
input {
udp {
port => 5143
type => vtc
}
}
filter {
#############################################################################Auth Failures##################################
if [message] =~ "Authentication failure" {
mutate {
add_field => [ "vtc-type", "Auth_Failure" ]
add_field => [ "log-type", "vtc" ]
}
}
else if [message] =~ "User cannot be authenticated" {
mutate {
add_field => [ "vtc-type", "Auth_Failure" ]
add_field => [ "log-type", "vtc" ]
}
}
else if [message] =~ "Login attempt" and [message] =~ "FAILURE " {
mutate {
add_field => [ "vtc-type", "Auth_Failure" ]
add_field => [ "log-type", "vtc" ]
}
}
else if [message] =~ "Unauthenticated user" and [message] =~ "FAILURE " {
mutate {
add_field => [ "vtc-type", "Auth_Failure" ]
add_field => [ "log-type", "vtc" ]
}
}
################################################################################Auth Success#################################
else if [message] =~ "Starting session: shell" {
mutate {
add_field => [ "vtc-type", "Login_Success" ]
add_field => [ "log-type", "vtc" ]
}
}
else if [message] =~ "Recorded successful login" {
mutate {
add_field => [ "vtc-type", "Login_Success" ]
add_field => [ "log-type", "vtc" ]
}
}
else if [message] =~ "user ID" and [message] =~ "SUCCESS" {
mutate {
add_field => [ "vtc-type", "Auth_Success" ]
add_field => [ "log-type", "vtc" ]
}
}
}
OUTPUT##############################################################
output {
stdout { codec => rubydebug }
if [log-type] =="vtc" {
elasticsearch {
index => "logstash_vtc-%{+YYYY.MM.dd}"
host => "localhost"
}
}
else if [log-type] =="cisco" {
elasticsearch {
index => "logstash_cisco-%{+YYYY.MM.dd}"
host => "localhost"
}
}
else if [log-type] =="juniper" {
elasticsearch {
index => "logstash_juniper-%{+YYYY.MM.dd}"
host => "localhost"
}
}
else {
elasticsearch {
index => "logstash_unknown-%{+YYYY.MM.dd}"
host => "localhost"
}
}
}