jordansissel/tshark-logstash.conf

## tshark-logstash.conf
input { stdin { } }

output {
  stdout {
    #codec => rubydebug
    codec => dots
  }

  elasticsearch {
    protocol => http
    index_type => "pcap1"
  }
}

filter {
  grok {
    match => {
      "message" => [
        #"Frame %{NUMBER:frame:int}: %{NUMBER:bytes:int) bytes on wire \(%{NUMBER} bits\), %{NUMBER} bytes captured \(%{NUMBER} bits\) on interface %{NUMBER} \(%{WORD:direction}\)",        "^Frame %{NUMBER:frame:int}:"
      ]
    }
  }

  if [message] !~ /^Frame \d+/ and [message] =~ /\b\w+\b:/ {
    ruby {
      code => 'key,value = event["message"].split(/: +/, 2); key = key.strip.downcase.gsub(/ /,"_"); event[key] = value.strip if key =~ /^[a-z_-]+$/'
    }
  }

  multiline {
    what => previous pattern => "^$" negate => true
  }

  if [epoch_time] {
    mutate {
      gsub => [ "epoch_time", " seconds", "" ]
    }
    date {
      match => [ "epoch_time", "UNIX" ]
    }
  }

}
	input { stdin { } }

	output {
	stdout {
	#codec => rubydebug
	codec => dots
	}

	elasticsearch {
	protocol => http
	index_type => "pcap1"
	}
	}

	filter {
	grok {
	match => {
	"message" => [
	#"Frame %{NUMBER:frame:int}: %{NUMBER:bytes:int) bytes on wire \(%{NUMBER} bits\), %{NUMBER} bytes captured \(%{NUMBER} bits\) on interface %{NUMBER} \(%{WORD:direction}\)", "^Frame %{NUMBER:frame:int}:"
	]
	}
	}

	if [message] !~ /^Frame \d+/ and [message] =~ /\b\w+\b:/ {
	ruby {
	code => 'key,value = event["message"].split(/: +/, 2); key = key.strip.downcase.gsub(/ /,"_"); event[key] = value.strip if key =~ /^[a-z_-]+$/'
	}
	}

	multiline {
	what => previous pattern => "^$" negate => true
	}

	if [epoch_time] {
	mutate {
	gsub => [ "epoch_time", " seconds", "" ]
	}
	date {
	match => [ "epoch_time", "UNIX" ]
	}
	}

	}