bvenable/gist:6344456

## gistfile1.txt
input {
  udp {
    port => 5140
    type => syslog
  }
}

filter {
  metrics {
      type => "syslog"
      meter => "events"
      add_tag => "metric"
  }
  grok {
      type => "syslog"
      pattern => [ "(%?m<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message})" ]
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{@source_host}" ]
  }
#  syslog_pri {
#      type => "syslog"
#  }
  date {
      type => "syslog"
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
  mutate {
      type => "syslog"
      exclude_tags => "_grokparsefailure"
      replace => [ "@source_host", "%{syslog_hostname}" ]
      replace => [ "@message", "%{syslog_message}" ]
  }
  mutate {
      type => "syslog"
      remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
  }
  grep {
      type => "syslog"
      match => [ "message", "^$" ]
      drop => false
      add_tag => [ "nomessage" ]
  }
}

output {
	stdout {
		tags => "nomessage"
	}
	stdout {
		tags => "metric"
		message => "count: %{events\.count} 1m: %{events\.rate_1m} 5m: %{events\.rate_5m} 15m: %{events\.rate_15m}"
	}
#	stdout {
#		type => "syslog"
#		message => "facility: %{syslog_facility}"
#	}
	gelf {
		facility => "%{syslog_facility}"
		level => "%{syslog_severity}"
		host => "127.0.0.1"
		port => 12201
	}
}
	input {
	udp {
	port => 5140
	type => syslog
	}
	}

	filter {
	metrics {
	type => "syslog"
	meter => "events"
	add_tag => "metric"
	}
	grok {
	type => "syslog"
	pattern => [ "(%?m<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message})" ]
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{@source_host}" ]
	}
	# syslog_pri {
	# type => "syslog"
	# }
	date {
	type => "syslog"
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	mutate {
	type => "syslog"
	exclude_tags => "_grokparsefailure"
	replace => [ "@source_host", "%{syslog_hostname}" ]
	replace => [ "@message", "%{syslog_message}" ]
	}
	mutate {
	type => "syslog"
	remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
	}
	grep {
	type => "syslog"
	match => [ "message", "^$" ]
	drop => false
	add_tag => [ "nomessage" ]
	}
	}

	output {
	stdout {
	tags => "nomessage"
	}
	stdout {
	tags => "metric"
	message => "count: %{events\.count} 1m: %{events\.rate_1m} 5m: %{events\.rate_5m} 15m: %{events\.rate_15m}"
	}
	# stdout {
	# type => "syslog"
	# message => "facility: %{syslog_facility}"
	# }
	gelf {
	facility => "%{syslog_facility}"
	level => "%{syslog_severity}"
	host => "127.0.0.1"
	port => 12201
	}
	}