cyberno-ir

## elk-stack-log.yml
- type: filestream
  id: cyberno-products
  enabled: true
  paths:
    - /var/log/syslog
  processors:
    - drop_event:
        when:
          not.contains:
            message: "User_Email"

## kiosk-decoder.xml
<decoder name="kiosk">
    <program_name>main</program_name>
</decoder>

<decoder name="kiosk_child">
    <parent>kiosk</parent>
    <prematch>User_Email: (\S*) User_IP: (\S*) User_Agent: (\.*) Log: (\.*) Extra: </prematch>
    <plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
	- type: filestream
	id: cyberno-products
	enabled: true
	paths:
	- /var/log/syslog
	processors:
	- drop_event:
	when:
	not.contains:
	message: "User_Email"
	<decoder name="kiosk">
	<program_name>main</program_name>
	</decoder>

	<decoder name="kiosk_child">
	<parent>kiosk</parent>
	<prematch>User_Email: (\S) User_IP: (\S) User_Agent: (\.) Log: (\.) Extra: </prematch>
	<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
	</decoder>