haf/gist:8378818

## gistfile1.txt
# filter handled by puppet

filter {
  # actually EventTime matches: \d{4}\-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}
  if [type] == "eventlog"
     and [EventTime] =~ ".*"
     and [Message] !~ "Session_Citrix Xen" {

    mutate {
      # Lowercase some values that are always in uppercase
      lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
    }

    date {
      # Convert timestamp from integer in UTC
      # match => [ "EventReceivedTime", "ISO8601" ]
      match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
    }
    mutate {
      rename => [ "AccountName",      "[eventlog][user]" ]
      rename => [ "AccountType",      "[eventlog][account_type]" ]
      rename => [ "ActivityID",       "[eventlog][activity_id]" ]
      rename => [ "AdapterName",      "[eventlog][dns][adapter_name]" ]
      rename => [ "AdapterSuffixName","[eventlog][dns][adapter_suffix_name]" ]
      rename => [ "Address",          "ip6" ]
      rename => [ "ApplicationPath",  "[eventlog][application_path]" ]
      rename => [ "AuthenticationPackageName", "[eventlog][authentication_package_name]" ]
      rename => [ "Category",         "[eventlog][category]" ]
      rename => [ "Channel",          "[eventlog][channel]" ]
      rename => [ "ConnType",         "[eventlog][conn_type]" ]
      rename => [ "ClientIP",         "[eventlog][client_ip]" ]
      rename => [ "DnsServerList",    "[eventlog][dns][dns_server_list]" ]
      rename => [ "Domain",           "domain" ]
      rename => [ "EventID",          "[eventlog][event_id]" ]
      rename => [ "EventType",        "[eventlog][event_type]" ]
      rename => [ "File",             "[eventlog][file_path]" ]
      rename => [ "Guid",             "[eventlog][guid]" ]
      rename => [ "Hostname",         "hostname" ]
      rename => [ "hResult",          "[eventlog][hresult]" ]
      rename => [ "Interface",        "[eventlog][interface]" ]
      rename => [ "InterfaceGuid",    "[eventlog][interface_guid]" ]
      rename => [ "InterfaceName",    "[eventlog][interface_name]" ]
      rename => [ "IpAddress",        "ip" ]
      rename => [ "Ipaddress",        "[eventlog][dns][ip_address]" ]
      rename => [ "IpPort",           "port" ]
      rename => [ "Key",              "[eventlog][key]" ]
      rename => [ "LogonGuid",        "[eventlog][logon_guid]" ]
      rename => [ "Message",          "message" ]
      rename => [ "ModifyingUser",    "[eventlog][modifying_user]" ]
      rename => [ "NewProfile",       "[eventlog][new_profile]" ]
      rename => [ "OldProfile",       "[eventlog][old_profile]" ]
      rename => [ "Opcode",           "[eventlog][opcode]" ] # http://msdn.microsoft.com/en-us/library/windows/desktop/dd996918%28v=vs.85%29.aspx
      rename => [ "OpcodeValue",      "[eventlog][opcode_value]" ]
      rename => [ "param1",           "[eventlog][param1]" ]
      rename => [ "param2",           "[eventlog][param2]" ]
      rename => [ "Port",             "port" ]
      rename => [ "PrivilegeList",    "[eventlog][privilege_list]" ]
      rename => [ "ProcessID",        "[eventlog][process_id]" ]
      rename => [ "ProcessName",      "[eventlog][process_name" ]
      rename => [ "ProviderGuid",     "[eventlog][provider_guid]" ]
      rename => [ "ReasonCode",       "[eventlog][reason_code]" ]
      rename => [ "RecordNumber",     "[eventlog][record_number]" ]
      rename => [ "roleId",           "[eventlog][role_id]" ]
      rename => [ "ScenarioId",       "[eventlog][scenario_id]" ]
      rename => [ "Severity",         "level" ]
      rename => [ "SeverityValue",    "[eventlog][severity_code]" ]
      rename => [ "SourceModuleName", "nxlog_input" ]
      rename => [ "SourceName",       "[eventlog][program]" ]
      rename => [ "SubjectDomainName", "[eventlog][subject_domain_name]" ]
      rename => [ "SubjectLogonId",   "[eventlog][subject_logonid]" ]
      rename => [ "SubjectUserName",  "[eventlog][subject_user_name]" ]
      rename => [ "SubjectUserSid",   "[eventlog][subject_user_sid]" ]
      rename => [ "System",           "[eventlog][system]" ]
      rename => [ "TargetDomainName", "[eventlog][target_domain_name]" ]
      rename => [ "TargetLogonId",    "[eventlog][target_logonid]" ]
      rename => [ "TargetUserName",   "[eventlog][target_user_name]" ]
      rename => [ "TargetUserSid",    "[eventlog][target_user_sid]" ]
      rename => [ "TotalXPaths"  ,    "[eventlog][total_xpaths]" ]
      rename => [ "ThreadID",         "thread" ]
    }
    mutate {
      # Remove redundant fields
      remove_field => [
       "CurrentOrNextState",
       "Description",
       "EventReceivedTime",
       "EventTime",
       "EventTimeWritten",
       "IPVersion",
       "KeyLength",
       "Keywords",
       "LmPackageName",
       "LogonProcessName",
       "LogonType",
       "Name",
       "PolicyProcessingMode",
       "Protocol",
       "ProtocolType",
       "SourceModuleType",
       "State",
       "Task",
       "TransmittedServices",
       "Type",
       "UserID",
       "Version",
       "serverName"
      ]
    }
    # clean out the host name:
    mutate {
      lowercase => [ "hostname" ]
      gsub => [ "hostname", "\.[^\.]+\.dev\.intelliplan\.net", "" ]
    }
  }
}

## gistfile2.txt
input {
 tcp {
  codec => "json"
  host => "0.0.0.0"
  port => 1935
  tags => ['windows', 'eventlog']
  type => "eventlog"
 }
}
	# filter handled by puppet

	filter {
	# actually EventTime matches: \d{4}\-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}
	if [type] == "eventlog"
	and [EventTime] =~ ".*"
	and [Message] !~ "Session_Citrix Xen" {

	mutate {
	# Lowercase some values that are always in uppercase
	lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
	}

	date {
	# Convert timestamp from integer in UTC
	# match => [ "EventReceivedTime", "ISO8601" ]
	match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
	}
	mutate {
	rename => [ "AccountName", "[eventlog][user]" ]
	rename => [ "AccountType", "[eventlog][account_type]" ]
	rename => [ "ActivityID", "[eventlog][activity_id]" ]
	rename => [ "AdapterName", "[eventlog][dns][adapter_name]" ]
	rename => [ "AdapterSuffixName","[eventlog][dns][adapter_suffix_name]" ]
	rename => [ "Address", "ip6" ]
	rename => [ "ApplicationPath", "[eventlog][application_path]" ]
	rename => [ "AuthenticationPackageName", "[eventlog][authentication_package_name]" ]
	rename => [ "Category", "[eventlog][category]" ]
	rename => [ "Channel", "[eventlog][channel]" ]
	rename => [ "ConnType", "[eventlog][conn_type]" ]
	rename => [ "ClientIP", "[eventlog][client_ip]" ]
	rename => [ "DnsServerList", "[eventlog][dns][dns_server_list]" ]
	rename => [ "Domain", "domain" ]
	rename => [ "EventID", "[eventlog][event_id]" ]
	rename => [ "EventType", "[eventlog][event_type]" ]
	rename => [ "File", "[eventlog][file_path]" ]
	rename => [ "Guid", "[eventlog][guid]" ]
	rename => [ "Hostname", "hostname" ]
	rename => [ "hResult", "[eventlog][hresult]" ]
	rename => [ "Interface", "[eventlog][interface]" ]
	rename => [ "InterfaceGuid", "[eventlog][interface_guid]" ]
	rename => [ "InterfaceName", "[eventlog][interface_name]" ]
	rename => [ "IpAddress", "ip" ]
	rename => [ "Ipaddress", "[eventlog][dns][ip_address]" ]
	rename => [ "IpPort", "port" ]
	rename => [ "Key", "[eventlog][key]" ]
	rename => [ "LogonGuid", "[eventlog][logon_guid]" ]
	rename => [ "Message", "message" ]
	rename => [ "ModifyingUser", "[eventlog][modifying_user]" ]
	rename => [ "NewProfile", "[eventlog][new_profile]" ]
	rename => [ "OldProfile", "[eventlog][old_profile]" ]
	rename => [ "Opcode", "[eventlog][opcode]" ] # http://msdn.microsoft.com/en-us/library/windows/desktop/dd996918%28v=vs.85%29.aspx
	rename => [ "OpcodeValue", "[eventlog][opcode_value]" ]
	rename => [ "param1", "[eventlog][param1]" ]
	rename => [ "param2", "[eventlog][param2]" ]
	rename => [ "Port", "port" ]
	rename => [ "PrivilegeList", "[eventlog][privilege_list]" ]
	rename => [ "ProcessID", "[eventlog][process_id]" ]
	rename => [ "ProcessName", "[eventlog][process_name" ]
	rename => [ "ProviderGuid", "[eventlog][provider_guid]" ]
	rename => [ "ReasonCode", "[eventlog][reason_code]" ]
	rename => [ "RecordNumber", "[eventlog][record_number]" ]
	rename => [ "roleId", "[eventlog][role_id]" ]
	rename => [ "ScenarioId", "[eventlog][scenario_id]" ]
	rename => [ "Severity", "level" ]
	rename => [ "SeverityValue", "[eventlog][severity_code]" ]
	rename => [ "SourceModuleName", "nxlog_input" ]
	rename => [ "SourceName", "[eventlog][program]" ]
	rename => [ "SubjectDomainName", "[eventlog][subject_domain_name]" ]
	rename => [ "SubjectLogonId", "[eventlog][subject_logonid]" ]
	rename => [ "SubjectUserName", "[eventlog][subject_user_name]" ]
	rename => [ "SubjectUserSid", "[eventlog][subject_user_sid]" ]
	rename => [ "System", "[eventlog][system]" ]
	rename => [ "TargetDomainName", "[eventlog][target_domain_name]" ]
	rename => [ "TargetLogonId", "[eventlog][target_logonid]" ]
	rename => [ "TargetUserName", "[eventlog][target_user_name]" ]
	rename => [ "TargetUserSid", "[eventlog][target_user_sid]" ]
	rename => [ "TotalXPaths" , "[eventlog][total_xpaths]" ]
	rename => [ "ThreadID", "thread" ]
	}
	mutate {
	# Remove redundant fields
	remove_field => [
	"CurrentOrNextState",
	"Description",
	"EventReceivedTime",
	"EventTime",
	"EventTimeWritten",
	"IPVersion",
	"KeyLength",
	"Keywords",
	"LmPackageName",
	"LogonProcessName",
	"LogonType",
	"Name",
	"PolicyProcessingMode",
	"Protocol",
	"ProtocolType",
	"SourceModuleType",
	"State",
	"Task",
	"TransmittedServices",
	"Type",
	"UserID",
	"Version",
	"serverName"
	]
	}
	# clean out the host name:
	mutate {
	lowercase => [ "hostname" ]
	gsub => [ "hostname", "\.[^\.]+\.dev\.intelliplan\.net", "" ]
	}
	}
	}
	input {
	tcp {
	codec => "json"
	host => "0.0.0.0"
	port => 1935
	tags => ['windows', 'eventlog']
	type => "eventlog"
	}
	}