Skip to content

Instantly share code, notes, and snippets.

/gist:8056798

Created December 20, 2013 15:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save anonymous/8056798 to your computer and use it in GitHub Desktop.
Save anonymous/8056798 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
input {
tcp {
type => "eventlog"
host => "10.1.1.2"
port => 3515
format => 'json'
}
}
filter {
# Incoming Windows Event logs from nxlog
# The EventReceivedTime field must contain only digits, or it is an invalid message
grep {
type => "eventlog"
"EventReceivedTime" => "\d+"
}
mutate {
# Lowercase some values that are always in uppercase
type => "eventlog"
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
}
mutate {
# Set source to what the message says
type => "eventlog"
rename => [ "Hostname", "@source_host" ]
}
date {
# Convert timestamp from integer in UTC
type => "eventlog"
EventReceivedTime => "UNIX"
}
mutate {
# Rename some fields into something more useful
type => "eventlog"
rename => [ "Message", "@message" ]
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}
mutate {
# Remove redundant fields
type => "eventlog"
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
}
}
output {
stdout { debug => true debug_format => "json"}
elasticsearch {
cluster => "Mint16ES"
tags => "remote_syslog"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment