Multiple filters for syslog

Can anyone suggest how i might include another match for syslog in this beats.conf? I'm looking to collect some fortigate syslogs in addition to what we are collecting from other syslog sources.

input{
beats{
port => "5043"
}
}

filter {
if [fields][logtype] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

if [fields][logtype] == "iis_log" {
    if [message] =~ "^#" {
        drop {}
    }

    grok {
        match => { "message" => [ "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer}" ] }
    }

}

}

output{
elasticsearch {
hosts => ["10.7.1.61:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

It's unclear from your post what you are attempting to do.

I am wondering how an additional filter for syslog would look. This particular beats.conf has an existing filter for syslog on Linux - would I be able to add another for Fortigate syslog?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.