joaociocca/rras.logstash.conf

## rras.logstash.conf
input {
  elasticsearch {
    hosts => ["<server>"]
    index => "rras_vpn*"
    query => '
    {
      "query":
        { "range" : {
          "@timestamp" : {
          "gte" : "2018-11-01", "lte" : "now"
        }}},
      "sort": [ "@timestamp" ]
    }
    '
    docinfo => true
    docinfo_fields => {
      "_id" => "document_id"
      "_index" => "document_index"
    }
  }
}

filter {

  if ![CallingStationID] {

    mutate {
      gsub => [ "FQUser", "([\\])", "\1\1" ]
    }

    elasticsearch {
      hosts => ["<server>"]
      index => "%{[@metadata][document_index]}"
      query_template => "config/reindex_lookup.json"
      fields => {
        "MSRASClientName" => "Source_MSRASClientName"
        "FQUser" => "Source_FQUser"
        "UserName" => "Source_UserName"
        "TunnelClientEndpt" => "Source_TunnelClientEndpt"
        "CallingStationID" => "Source_CallingStationID"
        "[@metadata][_id]" => "Source_ID"
        "message" => "Source_message"
      }
    }

    mutate {
      gsub => [ "FQUser", "[\\]([\\])", "\1" ]
    }

    ruby {
      code => '
        sourceUser = event.get("Source_UserName");
        sourceFQ = event.get("Source_FQUser");
        thisFQ = event.get("FQUser");

        if thisFQ.nil?
          if !sourceFQ.nil?
            nome = sourceFQ.downcase;
          elsif !sourceUser.nil?
            nome = sourceUser.downcase;
          end
        else
          nome = thisFQ.downcase;
        end

        event.set("LoginCredential", nome);

        sourceCalling = event.get("Source_CallingStationID")
        sourceEndpt = event.get("Source_TunnelClientEndpt")

        if !sourceCalling.nil?
          source = sourceCalling.to_s;
        elsif !sourceEndpt.nil?
          source = sourceEndpt.to_s;
        end

        event.set("SourceIP", source);
      '
    }

  } else {
    ruby {
      code => '
        thisFQ = event.get("FQUser");
        thisUser = event.get("UserName");

        if thisFQ.nil?
          if !thisUser.nil?
            nome = thisUser.downcase;
          end
        else
          nome = thisFQ.downcase;
        end

        event.set("LoginCredential", nome);

        event.set("SourceIP", event.get("CallingStationID"));
      '
    }
  }

  mutate {
    convert => {
      "@version" => "integer"
      "AcctAuthentic" => "integer"
      "AcctDelayTime" => "integer"
      "AcctInputOctets" => "integer"
      "AcctInputPackets" => "integer"
      "AcctLinkCount" => "integer"
      "AcctMultiSsnID" => "integer"
      "AcctOutputOctets" => "integer"
      "AcctOutputPackets" => "integer"
      "AcctSessionID" => "integer"
      "AcctSessionTime" => "integer"
      "AcctStatusType" => "integer"
      "AcctTerminateCause" => "integer"
      "AuthenticationType" => "integer"
      "EventTimestamp" => "integer"
      "FramedProtocol" => "integer"
      "IdleTimeout" => "integer"
      "MSMPPEEncryptionTypes" => "integer"
      "MSMPPEEncryptionPolicy" => "integer"
      "MSRASVendor" => "integer"
      "NASPort" => "integer"
      "NASPortType" => "integer"
      "PacketType" => "integer"
      "ProviderType" => "integer"
      "ReasonCode" => "integer"
      "ServiceType" => "integer"
      "TunnelMediumType" => "integer"
      "TunnelType" => "integer"
    }
  }

  ruby {
    code => '
      code = event.get("ReasonCode");
      packet = event.get("PacketType");
      acctype = event.get("AcctStatusType");
      time = event.get("AcctSessionTime");
      termCause = event.get("AcctTerminateCause");

      if ! time.nil?
        if time == 0
          sessionTime = "Nao disponivel";
        elsif time > 3600
          sessionTime = (time / 60 / 60).to_s + " horas, " + (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
        elsif time > 60
          sessionTime = (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
        else
          sessionTime = time.to_s + " segundos";
        end
      end

      case code
      when 0
        if packet == 1
          connectionInfo = "Solicitação de Conexão";
        else
          if acctype == 1
            connectionInfo = "Início de Conexão";
          elsif acctype == 2
            case termCause
              when 1
                termCauseDesc = "Solicitação do Usuário";
              when 2
                termCauseDesc = "Perda de Sinal";
              when 3
                termCauseDesc = "Perda de Serviço";
              when 4
                termCauseDesc = "Tempo Limite de Inatividade";
              when 5
                termCauseDesc = "Tempo Limite da Sessão";
              when 6
                termCauseDesc = "Reset Administrativo";
              when 7
                termCauseDesc = "Reboot Administrativo";
              when 8
                termCauseDesc = "Erro de Porta";
              when 9
                termCauseDesc = "Erro do NAS";
              when 10
                termCauseDesc = "Solicitação do NAS";
              when 11
                termCauseDesc = "Reboot do NAS";
              when 12
                termCauseDesc = "Porta Desnecessária";
              when 13
                termCauseDesc = "Porta Preemptada";
              when 14
                termCauseDesc = "Porta Suspensa";
              when 15
                termCauseDesc = "Serviço Indisponível";
              when 16
                termCauseDesc = "Chamada de Retorno";
              when 17
                termCauseDesc = "Erro do Usário";
              when 18
                termCauseDesc = "Solciitado pelo Host";
            end
            connectionInfo = "Fim da Conexão. Causa: " + termCauseDesc + " | Tempo de Sessão: " + sessionTime;
          else
            connectionInfo = "Início de Conexão com Sucesso";
          end
        end
      when 1
        connectionInfo = "REFUSED: INTERNAL_ERROR";
      when 2
        connectionInfo = "REFUSED: ACCESS_DENIED";
      when 3
        connectionInfo = "REFUSED: MALFORMED_REQUEST";
      when 4
        connectionInfo = "REFUSED: GLOBAL_CATALOG_UNAVAILABLE";
      when 5
        connectionInfo = "REFUSED: DOMAIN_UNAVAILABLE";
      when 6
        connectionInfo = "REFUSED: SERVER_UNAVAILABLE";
      when 7
        connectionInfo = "REFUSED: NO_SUCH_DOMAIN";
      when 8
        connectionInfo = "REFUSED: NO_SUCH_USER";
      when 9
        connectionInfo = "REFUSED: EXTENSION_DISCARD";
      when 16
        connectionInfo ="REFUSED: AUTH_FAILURE";
      when 17
        connectionInfo ="REFUSED: CHANGE_PASSWORD_FAILURE";
      when 18
        connectionInfo ="REFUSED: UNSUPPORTED_AUTH_TYPE";
      when 19
        connectionInfo ="REFUSED: NO_CLEARTEXT_PASSWORD";
      when 20
        connectionInfo ="REFUSED: LM_NOT_ALLOWED";
      when 21
        connectionInfo ="REFUSED: EXTENSION_REJECT";
      when 22
        connectionInfo ="REFUSED: EAP_NEGOTIATION_FAILED";
      when 23
        connectionInfo ="REFUSED: UNEXPECTED_EAP_ERROR";
      when 32
        connectionInfo ="REFUSED: LOCAL_USERS_ONLY";
      when 33
        connectionInfo ="REFUSED: PASSWORD_MUST_CHANGE";
      when 34
        connectionInfo ="REFUSED: ACCOUNT_DISABLED";
      when 35
        connectionInfo ="REFUSED: ACCOUNT_EXPIRED";
      when 36
        connectionInfo ="REFUSED: ACCOUNT_LOCKED_OUT";
      when 37
        connectionInfo ="REFUSED: INVALID_LOGON_HOURS";
      when 38
        connectionInfo ="REFUSED: ACCOUNT_RESTRICTION";
      when 48
        connectionInfo ="REFUSED: NO_POLICY_MATCH";
      when 49
        connectionInfo ="REFUSED: NO_CONNECTION_REQUEST_POLICY_MATCH";
      when 64
        connectionInfo ="REFUSED: DIALIN_LOCKED_OUT";
      when 65
        connectionInfo ="REFUSED: DIALIN_DISABLED";
      when 66
        connectionInfo ="REFUSED: INVALID_AUTH_TYPE";
      when 67
        connectionInfo ="REFUSED: INVALID_CALLING_STATION";
      when 68
        connectionInfo ="REFUSED: INVALID_DIALIN_HOURS";
      when 69
        connectionInfo ="REFUSED: INVALID_CALLED_STATION";
      when 70
        connectionInfo ="REFUSED: INVALID_PORT_TYPE";
      when 71
        connectionInfo ="REFUSED: DIALIN_RESTRICTION";
      when 72
        connectionInfo ="REFUSED: CPW_NOT_ALLOWED";
      when 73
        connectionInfo ="REFUSED: INVALID_CERT_EKU";
      when 80
        connectionInfo ="REFUSED: NO_RECORD";
      when 96
        connectionInfo ="REFUSED: SESSION_TIMEOUT";
      when 97
        connectionInfo ="REFUSED: UNEXPECTED_REQUEST";
      when 112
        connectionInfo = "REFUSED: PROXY_REJECT";
      when 113
        connectionInfo = "REFUSED: PROXY_UNKNOWN_GROUP";
      when 114
        connectionInfo = "REFUSED: PROXY_UNKNOWN_SERVER";
      when 115
        connectionInfo = "REFUSED: PROXY_PACKET_TOO_LONG";
      when 116
        connectionInfo = "REFUSED: PROXY_SEND_ERROR";
      when 117
        connectionInfo = "REFUSED: PROXY_TIMEOUT";
      when 118
        connectionInfo = "REFUSED: PROXY_MALFORMED_RESPONSE";
      when 256
        connectionInfo = "REFUSED: CRYPT_E_REVOKED";
      when 257
        connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_DLL";
      when 258
        connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_CHECK";
      when 259
        connectionInfo = "REFUSED: CRYPT_E_REVOCATION_OFFLINE";
      when 260
        connectionInfo = "REFUSED: SEC_E_MESSAGE_ALTERED";
      when 261
        connectionInfo = "REFUSED: SEC_E_NO_AUTHENTICATING_AUTHORITY";
      when 262
        connectionInfo = "REFUSED: SEC_E_INCOMPLETE_MESSAGE";
      when 263
        connectionInfo = "REFUSED: SEC_E_INCOMPLETE_CREDENTIALS";
      when 264
        connectionInfo = "REFUSED: SEC_E_TIME_SKEW";
      when 265
        connectionInfo = "REFUSED: SEC_E_UNTRUSTED_ROOT";
      when 266
        connectionInfo = "REFUSED: SEC_E_ILLEGAL_MESSAGE";
      when 267
        connectionInfo = "REFUSED: SEC_E_CERT_WRONG_USAGE";
      when 268
        connectionInfo = "REFUSED: SEC_E_CERT_EXPIRED";
      when 269
        connectionInfo = "REFUSED: SEC_E_ALGORITHM_MISMATCH";
      when 270
        connectionInfo = "REFUSED: SEC_E_SMARTCARD_LOGON_REQUIRED";
      when 271
        connectionInfo = "REFUSED: SEC_E_SHUTDOWN_IN_PROGRESS";
      when 272
        connectionInfo = "REFUSED: SEC_E_MULTIPLE_ACCOUNTS";
      when 273
        connectionInfo = "REFUSED: TRUST_E_PROVIDER_UNKNOWN";
      when 274
        connectionInfo = "REFUSED: TRUST_E_ACTION_UNKNOWN";
      when 275
        connectionInfo = "REFUSED: TRUST_E_SUBJECT_FORM_UNKNOWN";
      when 276
        connectionInfo = "REFUSED: TRUST_E_SUBJECT_NOT_TRUSTED";
      when 277
        connectionInfo = "REFUSED: TRUST_E_NOSIGNATURE";
      when 278
        connectionInfo = "REFUSED: CERT_E_EXPIRED";
      when 279
        connectionInfo = "REFUSED: CERT_E_VALIDITYPERIODNESTING";
      when 280
        connectionInfo = "REFUSED: CERT_E_ROLE";
      when 281
        connectionInfo = "REFUSED: CERT_E_PATHLENCONST";
      when 282
        connectionInfo = "REFUSED: CERT_E_CRITICAL";
      when 283
        connectionInfo = "REFUSED: CERT_E_PURPOSE";
      when 284
        connectionInfo = "REFUSED: CERT_E_ISSUERCHAINING";
      when 285
        connectionInfo = "REFUSED: CERT_E_MALFORMED";
      when 286
        connectionInfo = "REFUSED: CERT_E_UNTRUSTEDROOT";
      when 287
        connectionInfo = "REFUSED: CERT_E_CHAINING";
      when 288
        connectionInfo = "REFUSED: TRUST_E_FAIL";
      when 289
        connectionInfo = "REFUSED: CERT_E_REVOKED";
      when 290
        connectionInfo = "REFUSED: CERT_E_UNTRUSTEDTESTROOT";
      when 291
        connectionInfo = "REFUSED: CERT_E_REVOCATION_FAILURE";
      when 292
        connectionInfo = "REFUSED: CERT_E_CN_NO_MATCH";
      when 293
        connectionInfo = "REFUSED: CERT_E_WRONG_USAGE";
      when 294
        connectionInfo = "REFUSED: TRUST_E_EXPLICIT_DISTRUST";
      when 295
        connectionInfo = "REFUSED: CERT_E_UNTRUSTEDCA";
      when 296
        connectionInfo = "REFUSED: CERT_E_INVALID_POLICY";
      when 297
        connectionInfo = "REFUSED: CERT_E_INVALID_NAME";
      when 298
        connectionInfo = "REFUSED: SEC_E_PKINIT_NAME_MISMATCH";
      when 299
        connectionInfo = "REFUSED: SEC_E_OUT_OF_SEQUENCE";
      when 300
        connectionInfo = "REFUSED: SEC_E_NO_CREDENTIALS";
      else
        connectionInfo = code;
      end

      event.set("ConnectionInfo", connectionInfo);
    '
  }

  fingerprint {
    id => "Duplicate Protection"
    source => "message"
    target => "[@metadata][fingerprint]"
    method => "MURMUR3"
    remove_field => ["index"]
  }
}

output {
  elasticsearch {
    hosts => ["<server>"]
    index => "vpn_reindex-%{+YYYY.MM}"
    document_id => "%{[@metadata][fingerprint]}"
  }
}
	input {
	elasticsearch {
	hosts => ["<server>"]
	index => "rras_vpn*"
	query => '
	{
	"query":
	{ "range" : {
	"@timestamp" : {
	"gte" : "2018-11-01", "lte" : "now"
	}}},
	"sort": [ "@timestamp" ]
	}
	'
	docinfo => true
	docinfo_fields => {
	"_id" => "document_id"
	"_index" => "document_index"
	}
	}
	}

	filter {

	if ![CallingStationID] {

	mutate {
	gsub => [ "FQUser", "([\\])", "\1\1" ]
	}

	elasticsearch {
	hosts => ["<server>"]
	index => "%{[@metadata][document_index]}"
	query_template => "config/reindex_lookup.json"
	fields => {
	"MSRASClientName" => "Source_MSRASClientName"
	"FQUser" => "Source_FQUser"
	"UserName" => "Source_UserName"
	"TunnelClientEndpt" => "Source_TunnelClientEndpt"
	"CallingStationID" => "Source_CallingStationID"
	"[@metadata][_id]" => "Source_ID"
	"message" => "Source_message"
	}
	}

	mutate {
	gsub => [ "FQUser", "[\\]([\\])", "\1" ]
	}

	ruby {
	code => '
	sourceUser = event.get("Source_UserName");
	sourceFQ = event.get("Source_FQUser");
	thisFQ = event.get("FQUser");

	if thisFQ.nil?
	if !sourceFQ.nil?
	nome = sourceFQ.downcase;
	elsif !sourceUser.nil?
	nome = sourceUser.downcase;
	end
	else
	nome = thisFQ.downcase;
	end

	event.set("LoginCredential", nome);

	sourceCalling = event.get("Source_CallingStationID")
	sourceEndpt = event.get("Source_TunnelClientEndpt")

	if !sourceCalling.nil?
	source = sourceCalling.to_s;
	elsif !sourceEndpt.nil?
	source = sourceEndpt.to_s;
	end

	event.set("SourceIP", source);
	'
	}

	} else {
	ruby {
	code => '
	thisFQ = event.get("FQUser");
	thisUser = event.get("UserName");

	if thisFQ.nil?
	if !thisUser.nil?
	nome = thisUser.downcase;
	end
	else
	nome = thisFQ.downcase;
	end

	event.set("LoginCredential", nome);

	event.set("SourceIP", event.get("CallingStationID"));
	'
	}
	}

	mutate {
	convert => {
	"@version" => "integer"
	"AcctAuthentic" => "integer"
	"AcctDelayTime" => "integer"
	"AcctInputOctets" => "integer"
	"AcctInputPackets" => "integer"
	"AcctLinkCount" => "integer"
	"AcctMultiSsnID" => "integer"
	"AcctOutputOctets" => "integer"
	"AcctOutputPackets" => "integer"
	"AcctSessionID" => "integer"
	"AcctSessionTime" => "integer"
	"AcctStatusType" => "integer"
	"AcctTerminateCause" => "integer"
	"AuthenticationType" => "integer"
	"EventTimestamp" => "integer"
	"FramedProtocol" => "integer"
	"IdleTimeout" => "integer"
	"MSMPPEEncryptionTypes" => "integer"
	"MSMPPEEncryptionPolicy" => "integer"
	"MSRASVendor" => "integer"
	"NASPort" => "integer"
	"NASPortType" => "integer"
	"PacketType" => "integer"
	"ProviderType" => "integer"
	"ReasonCode" => "integer"
	"ServiceType" => "integer"
	"TunnelMediumType" => "integer"
	"TunnelType" => "integer"
	}
	}

	ruby {
	code => '
	code = event.get("ReasonCode");
	packet = event.get("PacketType");
	acctype = event.get("AcctStatusType");
	time = event.get("AcctSessionTime");
	termCause = event.get("AcctTerminateCause");

	if ! time.nil?
	if time == 0
	sessionTime = "Nao disponivel";
	elsif time > 3600
	sessionTime = (time / 60 / 60).to_s + " horas, " + (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
	elsif time > 60
	sessionTime = (time / 60 % 60).to_s + " minutos e " + (time % 60).to_s + " segundos";
	else
	sessionTime = time.to_s + " segundos";
	end
	end

	case code
	when 0
	if packet == 1
	connectionInfo = "Solicitação de Conexão";
	else
	if acctype == 1
	connectionInfo = "Início de Conexão";
	elsif acctype == 2
	case termCause
	when 1
	termCauseDesc = "Solicitação do Usuário";
	when 2
	termCauseDesc = "Perda de Sinal";
	when 3
	termCauseDesc = "Perda de Serviço";
	when 4
	termCauseDesc = "Tempo Limite de Inatividade";
	when 5
	termCauseDesc = "Tempo Limite da Sessão";
	when 6
	termCauseDesc = "Reset Administrativo";
	when 7
	termCauseDesc = "Reboot Administrativo";
	when 8
	termCauseDesc = "Erro de Porta";
	when 9
	termCauseDesc = "Erro do NAS";
	when 10
	termCauseDesc = "Solicitação do NAS";
	when 11
	termCauseDesc = "Reboot do NAS";
	when 12
	termCauseDesc = "Porta Desnecessária";
	when 13
	termCauseDesc = "Porta Preemptada";
	when 14
	termCauseDesc = "Porta Suspensa";
	when 15
	termCauseDesc = "Serviço Indisponível";
	when 16
	termCauseDesc = "Chamada de Retorno";
	when 17
	termCauseDesc = "Erro do Usário";
	when 18
	termCauseDesc = "Solciitado pelo Host";
	end
	connectionInfo = "Fim da Conexão. Causa: " + termCauseDesc + " \| Tempo de Sessão: " + sessionTime;
	else
	connectionInfo = "Início de Conexão com Sucesso";
	end
	end
	when 1
	connectionInfo = "REFUSED: INTERNAL_ERROR";
	when 2
	connectionInfo = "REFUSED: ACCESS_DENIED";
	when 3
	connectionInfo = "REFUSED: MALFORMED_REQUEST";
	when 4
	connectionInfo = "REFUSED: GLOBAL_CATALOG_UNAVAILABLE";
	when 5
	connectionInfo = "REFUSED: DOMAIN_UNAVAILABLE";
	when 6
	connectionInfo = "REFUSED: SERVER_UNAVAILABLE";
	when 7
	connectionInfo = "REFUSED: NO_SUCH_DOMAIN";
	when 8
	connectionInfo = "REFUSED: NO_SUCH_USER";
	when 9
	connectionInfo = "REFUSED: EXTENSION_DISCARD";
	when 16
	connectionInfo ="REFUSED: AUTH_FAILURE";
	when 17
	connectionInfo ="REFUSED: CHANGE_PASSWORD_FAILURE";
	when 18
	connectionInfo ="REFUSED: UNSUPPORTED_AUTH_TYPE";
	when 19
	connectionInfo ="REFUSED: NO_CLEARTEXT_PASSWORD";
	when 20
	connectionInfo ="REFUSED: LM_NOT_ALLOWED";
	when 21
	connectionInfo ="REFUSED: EXTENSION_REJECT";
	when 22
	connectionInfo ="REFUSED: EAP_NEGOTIATION_FAILED";
	when 23
	connectionInfo ="REFUSED: UNEXPECTED_EAP_ERROR";
	when 32
	connectionInfo ="REFUSED: LOCAL_USERS_ONLY";
	when 33
	connectionInfo ="REFUSED: PASSWORD_MUST_CHANGE";
	when 34
	connectionInfo ="REFUSED: ACCOUNT_DISABLED";
	when 35
	connectionInfo ="REFUSED: ACCOUNT_EXPIRED";
	when 36
	connectionInfo ="REFUSED: ACCOUNT_LOCKED_OUT";
	when 37
	connectionInfo ="REFUSED: INVALID_LOGON_HOURS";
	when 38
	connectionInfo ="REFUSED: ACCOUNT_RESTRICTION";
	when 48
	connectionInfo ="REFUSED: NO_POLICY_MATCH";
	when 49
	connectionInfo ="REFUSED: NO_CONNECTION_REQUEST_POLICY_MATCH";
	when 64
	connectionInfo ="REFUSED: DIALIN_LOCKED_OUT";
	when 65
	connectionInfo ="REFUSED: DIALIN_DISABLED";
	when 66
	connectionInfo ="REFUSED: INVALID_AUTH_TYPE";
	when 67
	connectionInfo ="REFUSED: INVALID_CALLING_STATION";
	when 68
	connectionInfo ="REFUSED: INVALID_DIALIN_HOURS";
	when 69
	connectionInfo ="REFUSED: INVALID_CALLED_STATION";
	when 70
	connectionInfo ="REFUSED: INVALID_PORT_TYPE";
	when 71
	connectionInfo ="REFUSED: DIALIN_RESTRICTION";
	when 72
	connectionInfo ="REFUSED: CPW_NOT_ALLOWED";
	when 73
	connectionInfo ="REFUSED: INVALID_CERT_EKU";
	when 80
	connectionInfo ="REFUSED: NO_RECORD";
	when 96
	connectionInfo ="REFUSED: SESSION_TIMEOUT";
	when 97
	connectionInfo ="REFUSED: UNEXPECTED_REQUEST";
	when 112
	connectionInfo = "REFUSED: PROXY_REJECT";
	when 113
	connectionInfo = "REFUSED: PROXY_UNKNOWN_GROUP";
	when 114
	connectionInfo = "REFUSED: PROXY_UNKNOWN_SERVER";
	when 115
	connectionInfo = "REFUSED: PROXY_PACKET_TOO_LONG";
	when 116
	connectionInfo = "REFUSED: PROXY_SEND_ERROR";
	when 117
	connectionInfo = "REFUSED: PROXY_TIMEOUT";
	when 118
	connectionInfo = "REFUSED: PROXY_MALFORMED_RESPONSE";
	when 256
	connectionInfo = "REFUSED: CRYPT_E_REVOKED";
	when 257
	connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_DLL";
	when 258
	connectionInfo = "REFUSED: CRYPT_E_NO_REVOCATION_CHECK";
	when 259
	connectionInfo = "REFUSED: CRYPT_E_REVOCATION_OFFLINE";
	when 260
	connectionInfo = "REFUSED: SEC_E_MESSAGE_ALTERED";
	when 261
	connectionInfo = "REFUSED: SEC_E_NO_AUTHENTICATING_AUTHORITY";
	when 262
	connectionInfo = "REFUSED: SEC_E_INCOMPLETE_MESSAGE";
	when 263
	connectionInfo = "REFUSED: SEC_E_INCOMPLETE_CREDENTIALS";
	when 264
	connectionInfo = "REFUSED: SEC_E_TIME_SKEW";
	when 265
	connectionInfo = "REFUSED: SEC_E_UNTRUSTED_ROOT";
	when 266
	connectionInfo = "REFUSED: SEC_E_ILLEGAL_MESSAGE";
	when 267
	connectionInfo = "REFUSED: SEC_E_CERT_WRONG_USAGE";
	when 268
	connectionInfo = "REFUSED: SEC_E_CERT_EXPIRED";
	when 269
	connectionInfo = "REFUSED: SEC_E_ALGORITHM_MISMATCH";
	when 270
	connectionInfo = "REFUSED: SEC_E_SMARTCARD_LOGON_REQUIRED";
	when 271
	connectionInfo = "REFUSED: SEC_E_SHUTDOWN_IN_PROGRESS";
	when 272
	connectionInfo = "REFUSED: SEC_E_MULTIPLE_ACCOUNTS";
	when 273
	connectionInfo = "REFUSED: TRUST_E_PROVIDER_UNKNOWN";
	when 274
	connectionInfo = "REFUSED: TRUST_E_ACTION_UNKNOWN";
	when 275
	connectionInfo = "REFUSED: TRUST_E_SUBJECT_FORM_UNKNOWN";
	when 276
	connectionInfo = "REFUSED: TRUST_E_SUBJECT_NOT_TRUSTED";
	when 277
	connectionInfo = "REFUSED: TRUST_E_NOSIGNATURE";
	when 278
	connectionInfo = "REFUSED: CERT_E_EXPIRED";
	when 279
	connectionInfo = "REFUSED: CERT_E_VALIDITYPERIODNESTING";
	when 280
	connectionInfo = "REFUSED: CERT_E_ROLE";
	when 281
	connectionInfo = "REFUSED: CERT_E_PATHLENCONST";
	when 282
	connectionInfo = "REFUSED: CERT_E_CRITICAL";
	when 283
	connectionInfo = "REFUSED: CERT_E_PURPOSE";
	when 284
	connectionInfo = "REFUSED: CERT_E_ISSUERCHAINING";
	when 285
	connectionInfo = "REFUSED: CERT_E_MALFORMED";
	when 286
	connectionInfo = "REFUSED: CERT_E_UNTRUSTEDROOT";
	when 287
	connectionInfo = "REFUSED: CERT_E_CHAINING";
	when 288
	connectionInfo = "REFUSED: TRUST_E_FAIL";
	when 289
	connectionInfo = "REFUSED: CERT_E_REVOKED";
	when 290
	connectionInfo = "REFUSED: CERT_E_UNTRUSTEDTESTROOT";
	when 291
	connectionInfo = "REFUSED: CERT_E_REVOCATION_FAILURE";
	when 292
	connectionInfo = "REFUSED: CERT_E_CN_NO_MATCH";
	when 293
	connectionInfo = "REFUSED: CERT_E_WRONG_USAGE";
	when 294
	connectionInfo = "REFUSED: TRUST_E_EXPLICIT_DISTRUST";
	when 295
	connectionInfo = "REFUSED: CERT_E_UNTRUSTEDCA";
	when 296
	connectionInfo = "REFUSED: CERT_E_INVALID_POLICY";
	when 297
	connectionInfo = "REFUSED: CERT_E_INVALID_NAME";
	when 298
	connectionInfo = "REFUSED: SEC_E_PKINIT_NAME_MISMATCH";
	when 299
	connectionInfo = "REFUSED: SEC_E_OUT_OF_SEQUENCE";
	when 300
	connectionInfo = "REFUSED: SEC_E_NO_CREDENTIALS";
	else
	connectionInfo = code;
	end

	event.set("ConnectionInfo", connectionInfo);
	'
	}

	fingerprint {
	id => "Duplicate Protection"
	source => "message"
	target => "[@metadata][fingerprint]"
	method => "MURMUR3"
	remove_field => ["index"]
	}
	}

	output {
	elasticsearch {
	hosts => ["<server>"]
	index => "vpn_reindex-%{+YYYY.MM}"
	document_id => "%{[@metadata][fingerprint]}"
	}
	}