maus-/logstash.conf

## logstash.conf
input {
  syslog = {
    type => syslog
    port => 514
  }
}
filter {
  grok {
   type => "auditd"
   pattern => [" AUDIT type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_coun
              ter}\): user pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} subj=%{WORD
              :audit_subject} msg=%{GREEDYDATA:audit_message}"]
   pattern => [" AUDITLOGIN type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit
                _counter}\): login pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} old auid=%{NUMBER:old_auid}
                new auid=%{NUMBER:new_auid} old ses=%{NUMBER:old_ses} new ses=%{NUMBER:new_ses}"]
  }
}
output {
  stdout {
    codec => rubydebug
    debug => true
  }

  elasticsearch {
    embedded => true
  }
}
	input {
	syslog = {
	type => syslog
	port => 514
	}
	}
	filter {
	grok {
	type => "auditd"
	pattern => [" AUDIT type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_coun
	ter}\): user pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} subj=%{WORD
	:audit_subject} msg=%{GREEDYDATA:audit_message}"]
	pattern => [" AUDITLOGIN type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit
	_counter}\): login pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} old auid=%{NUMBER:old_auid}
	new auid=%{NUMBER:new_auid} old ses=%{NUMBER:old_ses} new ses=%{NUMBER:new_ses}"]
	}
	}
	output {
	stdout {
	codec => rubydebug
	debug => true
	}

	elasticsearch {
	embedded => true
	}
	}