leejo/logstash_syslog

## logstash_syslog
        if [type] == "syslog" {
                grok {
                        match => {
                                message => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} (%{SYSLOGHOST:remote} )?%{DATA:program}(?:\[%{POSINT:pid}\])?: (%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME} )?%{GREEDYDATA:message_no_ts}"
                        }
                        add_tag => [ "%{[tag]}","syslog","%{[program]}" ]
                }
                date {
                        # we use the value of timestamp in the @timestamp field
                        match => [ "timestamp","MMM dd HH:mm:ss","MMM  d HH:mm:ss" ]
                }
                mutate {
                        # remove duplicate fields that we no longer need
                        remove_field => [ "tag","timestamp" ]
                }
        }
	if [type] == "syslog" {
	grok {
	match => {
	message => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} (%{SYSLOGHOST:remote} )?%{DATA:program}(?:\[%{POSINT:pid}\])?: (%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME} )?%{GREEDYDATA:message_no_ts}"
	}
	add_tag => [ "%{[tag]}","syslog","%{[program]}" ]
	}
	date {
	# we use the value of timestamp in the @timestamp field
	match => [ "timestamp","MMM dd HH:mm:ss","MMM d HH:mm:ss" ]
	}
	mutate {
	# remove duplicate fields that we no longer need
	remove_field => [ "tag","timestamp" ]
	}
	}