christophersjchow/pipeline.conf

## pipeline.conf
input {
  udp {
    port => 10514
    type => unifi_syslog
  }
}

filter {
  if [type] == "unifi_syslog" {
    grok {
      patterns_dir => ["/usr/share/logstash/patterns"]
      match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:timestamp}\s+%{GREEDYDATA:hostname},%{GREEDYDATA:build},%{UBIQUITI_OS_VERSION:version}\s+kernel:\s+%{UBIQUITI_KERNEL_PREFIX}\s+%{IPTABLES}" }
    }

    date {
      match => ["timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss"]
      timezone => "Australia/Sydney"
      remove_field => ["timestamp"]
    }
  }
}

output {
  if "_grokparsefailure" not in [tags] {
    if [type] == "unifi_syslog" {
      elasticsearch {
        hosts => ["elasticsearch:9200"]
        index => "unifi-%{+YYYY.MM.dd}"
      }
    }
  }
}

## syslog_example.txt
<12>Feb  7 22:44:38 DreamMachine,6a09c7cc8c72,udm-1.8.6.2969 kernel: [ 8641.502155] IN=br4 OUT=br3 MAC=76:83:c2:97:95:4f:08:02:8e:2b:5f:cc:08:00 SRC=192.168.4.202 DST=192.168.3.54 LEN=898 TOS=0x00 PREC=0x00 TTL=63 ID=22279 DF PROTO=UDP SPT=50000 DPT=19130 LEN=878

## udm
UBIQUITI_OS_VERSION [a-zA-Z0-9\.\-]*
UBIQUITI_KERNEL_PREFIX [\[\]0-9\.\s]*
IPTABLES %{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})
IPTABLES_ETHERNET IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: MAC=%{NETFILTERMAC})?
IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}
IPTABLES_IP_START SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?

IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?
IPTABLES_PROTOCOL PROTO=(?<network.transport>[a-zA-Z0-9]+)
IPTABLES_PORT_PAIR SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int}
IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags}
IPTABLES_UDP_DETAILS LEN=%{UNSIGNED_INT:iptables.udp.length:int}
IPTABLES_ICMP_DETAILS TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})
IPTABLES_INCOMPLETE_PACKET INCOMPLETE \\[%{UNSIGNED_INT:iptables.incomplete_bytes:int} bytes\\]
NETFILTERMAC (?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?)
ETHTYPE (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})
ETHTYPE_DISCARD (?::[A-Fa-f0-9]{2})*
UNSIGNED_INT [0-9]+
IPTABLES_TCP_FLAGS ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*
IPTABLES_TCP_SEQ SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int}
IPTABLES_ICMP_EXTRA_ECHO ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int}
IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int}
IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:iptables.icmp.redirect}
IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
IPTABLES_IP_FRAGFLAG ((?<= )(CE|DF|MF))*
IPTABLES_IPV6 SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int} %{IPTABLES_IP_PAYLOAD}
	input {
	udp {
	port => 10514
	type => unifi_syslog
	}
	}

	filter {
	if [type] == "unifi_syslog" {
	grok {
	patterns_dir => ["/usr/share/logstash/patterns"]
	match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:timestamp}\s+%{GREEDYDATA:hostname},%{GREEDYDATA:build},%{UBIQUITI_OS_VERSION:version}\s+kernel:\s+%{UBIQUITI_KERNEL_PREFIX}\s+%{IPTABLES}" }
	}

	date {
	match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
	timezone => "Australia/Sydney"
	remove_field => ["timestamp"]
	}
	}
	}

	output {
	if "_grokparsefailure" not in [tags] {
	if [type] == "unifi_syslog" {
	elasticsearch {
	hosts => ["elasticsearch:9200"]
	index => "unifi-%{+YYYY.MM.dd}"
	}
	}
	}
	}
	UBIQUITI_OS_VERSION [a-zA-Z0-9\.\-]*
	UBIQUITI_KERNEL_PREFIX [\[\]0-9\.\s]*
	IPTABLES %{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}\|%{IPTABLES_IPV6})
	IPTABLES_ETHERNET IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: MAC=%{NETFILTERMAC})?
	IPTABLES_IP %{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}
	IPTABLES_IP_START SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?

	IPTABLES_IP_PAYLOAD %{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}\|%{IPTABLES_UDP_DETAILS}\|%{IPTABLES_ICMP_DETAILS}\|%{IPTABLES_INCOMPLETE_PACKET}))?
	IPTABLES_PROTOCOL PROTO=(?<network.transport>[a-zA-Z0-9]+)
	IPTABLES_PORT_PAIR SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int}
	IPTABLES_TCP_DETAILS (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags}
	IPTABLES_UDP_DETAILS LEN=%{UNSIGNED_INT:iptables.udp.length:int}
	IPTABLES_ICMP_DETAILS TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( %{IPTABLES_INCOMPLETE_PACKET})\|%{IPTABLES_ICMP_EXTRA})
	IPTABLES_INCOMPLETE_PACKET INCOMPLETE \\[%{UNSIGNED_INT:iptables.incomplete_bytes:int} bytes\\]
	NETFILTERMAC (?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}\|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?)
	ETHTYPE (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})
	ETHTYPE_DISCARD (?::[A-Fa-f0-9]{2})*
	UNSIGNED_INT [0-9]+
	IPTABLES_TCP_FLAGS ((?<= )(CWR\|ECE\|URG\|ACK\|PSH\|RST\|SYN\|FIN))*
	IPTABLES_TCP_SEQ SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int}
	IPTABLES_ICMP_EXTRA_ECHO ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int}
	IPTABLES_ICMP_EXTRA_PARAM PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int}
	IPTABLES_ICMP_EXTRA_REDIRECT GATEWAY=%{IP:iptables.icmp.redirect}
	IPTABLES_ICMP_EXTRA ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}\|%{IPTABLES_ICMP_EXTRA_PARAM}\|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*
	IPTABLES_IP_FRAGFLAG ((?<= )(CE\|DF\|MF))*
	IPTABLES_IPV6 SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int} %{IPTABLES_IP_PAYLOAD}