c10l/logstash_syslog_input.erb

## logstash_syslog_input.erb
input {
  tcp {
    codec => line {
      charset => "ISO8859-1"
    }
    port => <%= port %>
    tags => ["syslog"]
  }
}
filter {
  if ("syslog" in [tags] and "redis" not in [tags]) {
    grok {
      match => [ "message", "<%%{POSINT:syslog_pri}>(%{TIMESTAMP_ISO8601:syslog_timestamp}|%{SYSLOGTIMESTAMP:syslog_timestamp}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(\(%{DATA:syslog_extra}\))?(?:\[%{POSINT:syslog_pid}\]?)?:? %{GREEDYDATA:syslog_message}" ]
    }
    syslog_pri {}
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
      timezone => "<%= @logstash_timezone %>"
    }
    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "message", "%{syslog_message}" ]
        replace => [ "host", "%{syslog_hostname}" ]
        replace => [ "facility", "%{syslog_facility}" ]
        replace => [ "severity", "%{syslog_severity}" ]
        replace => [ "application", "%{syslog_program}" ]
      }
    }
    mutate {
      remove_field => [
        "syslog_message",
        "syslog_hostname",
        "syslog_facility",
        "syslog_facility_code",
        "syslog_pri",
        "syslog_program",
        "syslog_severity",
        "syslog_severity_code",
        "syslog_timestamp"
      ]
    }
  }
}
	input {
	tcp {
	codec => line {
	charset => "ISO8859-1"
	}
	port => <%= port %>
	tags => ["syslog"]
	}
	}
	filter {
	if ("syslog" in [tags] and "redis" not in [tags]) {
	grok {
	match => [ "message", "<%%{POSINT:syslog_pri}>(%{TIMESTAMP_ISO8601:syslog_timestamp}\|%{SYSLOGTIMESTAMP:syslog_timestamp}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(\(%{DATA:syslog_extra}\))?(?:\[%{POSINT:syslog_pid}\]?)?:? %{GREEDYDATA:syslog_message}" ]
	}
	syslog_pri {}
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
	timezone => "<%= @logstash_timezone %>"
	}
	if !("_grokparsefailure" in [tags]) {
	mutate {
	replace => [ "message", "%{syslog_message}" ]
	replace => [ "host", "%{syslog_hostname}" ]
	replace => [ "facility", "%{syslog_facility}" ]
	replace => [ "severity", "%{syslog_severity}" ]
	replace => [ "application", "%{syslog_program}" ]
	}
	}
	mutate {
	remove_field => [
	"syslog_message",
	"syslog_hostname",
	"syslog_facility",
	"syslog_facility_code",
	"syslog_pri",
	"syslog_program",
	"syslog_severity",
	"syslog_severity_code",
	"syslog_timestamp"
	]
	}
	}
	}