Skip to content

Instantly share code, notes, and snippets.

@lporras
Last active May 3, 2019 17:19
Show Gist options
  • Save lporras/66a122f9abcd094c36c82ed0b3a31cd6 to your computer and use it in GitHub Desktop.
Save lporras/66a122f9abcd094c36c82ed0b3a31cd6 to your computer and use it in GitHub Desktop.
example logstash 1
input {
file {
path => "/Users/luisalfredoporraspaez/apps/elk_course/datos.json"
start_position => "beginning"
codec => "json"
}
}
filter {
mutate {
remove_field => ["@version"]
gsub => ["surname", " - ", ""]
}
if [company] =~ /^Prov*/ {
mutate {
add_field => { "user" => "Proveedor" }
}
} else {
mutate {
add_field => { "user" => "Client" }
}
}
}
output {
stdout { codec => rubydebug }
}
##-----------------------
input {
file {
path => "/Users/luisalfredoporraspaez/apps/elk_course/datos.json"
start_position => "beginning"
codec => "json"
}
}
filter {
grok {
match => { "message" => [ "factura: %{WORD:name}-%{WORD:surname} \[%{WORD:company}\] %{NUMBER:money}" ] }
}
}
output {
stdout { codec => rubydebug }
}
##---------------------------------------------------------------------
input {
file {
path => "/Users/luisalfredoporraspaez/apps/elk_course/datos.json"
start_position => "beginning"
codec => "json"
}
}
filter {
if [srcip] and [srcip] != "N/A" {
cidr {
add_tag => ["src_ip_priv"]
address => ["%{srcip}"]
network => ["172.16.0.0/12", "10.0.0.0/8", "192.168.0.0/16", "169.254.0.0/16", "0.0.0.0/32"]
}
if "src_ip_priv" not in [tags] {
geoip {
target => "src_geoip"
source => "srcip"
fields => ["city_name", "continent_code", "country_code2", "country_code3", "country_name", "ip", "latitude", "longitude", "location"]
}
}
}
}
output {
stdout { codec => rubydebug }
}
##----------------------------------
input {
file {
path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "syslog-demo"
}
}
##-----------------------
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
date {
match => [ "timestamp", "dd/MM/yyyy:HH:mm:ss Z" ]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["127.0.0.1:9200"]
}
}
##-----------------------------
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
date {
match => [ "timestamp", "dd/MM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
index => "apache-%{+YYYY.MM.dd}"
}
}
###--------------------------
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
}
geoip {
source => "remote_ip"
}
useragent {
source => "user_agent"
target => "useragent"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
index => "gedeon-app-%{+YYYY.MM.dd}"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment