boardstretcher/gist:1fa79ed36e0bf876bda6

## gistfile1.txt
#LOCAL LOGS
input {
  file {
    path => [ "/var/log/auth.log" ]
    type => "auth"
  }
}

input {
  file {
    path => [ "/var/log/messages", "/var/log/syslog" ]
    type => "syslog"
  }
}

output {
  elasticsearch {
    host => "localhost"
  }
}

#LOCAL 'REMOTE' LOGS GATHERED WITH RSYNC
input {
  file {
    path => [ "/var/log/remote/server01/auth.log", "/var/log/remote/s365server02/auth.log", "/var/log/remote/s365server03/auth.log", "/var/log/remote/s365server04/auth.log", "/var/log/remote/s365server05/auth.log", "/var/log/remote/s365server06/auth.log" ]
    type => "auth"
  }
}

input {
  file {
    path => [ "/var/log/remote/server01/messages", "/var/log/remote/s365server01/syslog", "/var/log/remote/s365server02/messages", "/var/log/remote/s365server02/syslog", "/var/log/remote/s365server03/messages", "/var/log/remote/s365server03/syslog", "/var/log/remote/s365server04/messages", "/var/log/remote/s365server04/syslog", "/var/log/remote/s365server05/messages", "/var/log/remote/s365server05/syslog", "/var/log/remote/s365server06/messages", "/var/log/remote/s365server06/syslog" ]
    type => "syslog"
  }
}

filter {
  grok {
        type => "auth"
        match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
  }
  grok {
        type => "syslog"
        match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
  }

}

output {
  elasticsearch {
    host => localhost
  }
  stdout { codec => rubydebug }
}

#WINDOWS LOGS,.. ACCEPT INPUT ON 3515
#USE NXLOG ON WINDOWS ITSELF
input {
    tcp {
        type => "WindowsEventLog"
        port => 3515
        codec => "line"
    }
}

output {
  elasticsearch {
    host => localhost
  }
  stdout { codec => rubydebug }
}
	#LOCAL LOGS
	input {
	file {
	path => [ "/var/log/auth.log" ]
	type => "auth"
	}
	}

	input {
	file {
	path => [ "/var/log/messages", "/var/log/syslog" ]
	type => "syslog"
	}
	}

	output {
	elasticsearch {
	host => "localhost"
	}
	}

	#LOCAL 'REMOTE' LOGS GATHERED WITH RSYNC
	input {
	file {
	path => [ "/var/log/remote/server01/auth.log", "/var/log/remote/s365server02/auth.log", "/var/log/remote/s365server03/auth.log", "/var/log/remote/s365server04/auth.log", "/var/log/remote/s365server05/auth.log", "/var/log/remote/s365server06/auth.log" ]
	type => "auth"
	}
	}

	input {
	file {
	path => [ "/var/log/remote/server01/messages", "/var/log/remote/s365server01/syslog", "/var/log/remote/s365server02/messages", "/var/log/remote/s365server02/syslog", "/var/log/remote/s365server03/messages", "/var/log/remote/s365server03/syslog", "/var/log/remote/s365server04/messages", "/var/log/remote/s365server04/syslog", "/var/log/remote/s365server05/messages", "/var/log/remote/s365server05/syslog", "/var/log/remote/s365server06/messages", "/var/log/remote/s365server06/syslog" ]
	type => "syslog"
	}
	}

	filter {
	grok {
	type => "auth"
	match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
	}
	grok {
	type => "syslog"
	match => [ "message", "%{SYSLOGTIMESTAMP} %{WORD:host} %{GREEDYDATA:syslog_message}" ]
	}

	}

	output {
	elasticsearch {
	host => localhost
	}
	stdout { codec => rubydebug }
	}

	#WINDOWS LOGS,.. ACCEPT INPUT ON 3515
	#USE NXLOG ON WINDOWS ITSELF
	input {
	tcp {
	type => "WindowsEventLog"
	port => 3515
	codec => "line"
	}
	}

	output {
	elasticsearch {
	host => localhost
	}
	stdout { codec => rubydebug }
	}