Multiple filters for syslog

irb7501 · March 23, 2018, 7:28pm

Can anyone suggest how i might include another match for syslog in this beats.conf? I'm looking to collect some fortigate syslogs in addition to what we are collecting from other syslog sources.

input{
beats{
port => "5043"
}
}

filter {
if [fields][logtype] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

if [fields][logtype] == "iis_log" {
    if [message] =~ "^#" {
        drop {}
    }

    grok {
        match => { "message" => [ "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer}" ] }
    }

}

}

output{
elasticsearch {
hosts => ["10.7.1.61:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

yaauie · March 24, 2018, 8:30am

It's unclear from your post what you are attempting to do.

irb7501 · March 26, 2018, 5:39pm

I am wondering how an additional filter for syslog would look. This particular beats.conf has an existing filter for syslog on Linux - would I be able to add another for Fortigate syslog?

system · April 23, 2018, 5:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter does not seem to supply logs for kibana Logstash	5	619	March 29, 2018
Filtering on beats fields issue Logstash	7	2211	September 5, 2017
Filtering rules in Logstash Logstash	2	432	June 17, 2017
[Working example]Fortigate config for Logstash Logstash	2	15978	December 19, 2017
Grok & firewall logs Logstash	7	2501	October 22, 2019

Multiple filters for syslog

Related Topics