forked from IBM/logstash-filter-mongodb-guardium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter-test-syslog.conf
35 lines (31 loc) · 962 Bytes
/
filter-test-syslog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
input {
tcp { port => 5000 type => "syslog-mongodb"}
udp { port => 5141 type => "syslog-mongodb" }
}
filter {
if [type] == "syslog-mongodb" {
grok { # or TIMESTAMP_ISO8601, for mongoaudit.log messages tests, or if SYSLOGTIMESTAMP doesn't work
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:server_hostname} %{SYSLOGPROG:source_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mongodb_guardium_filter {}
if "_mongoguardium_json_parse_error" not in [tags] {
mutate { remove_field => [
# "message",
"syslog_timestamp",
"source_program", "program", "syslog_pid",
"syslog_message",
"server_hostname", "host"
]
}
}
}
}
output {
if [GuardRecord] {
stdout { codec => rubydebug }
# in production, Guardium Universal connector output plugin processes the filter output
}
}