ram-devsecops/gist:641e27b55ed88ae9e031

## gistfile1.txt
input {
  lumberjack {
    port => 5043
    ssl_certificate => "/etc/puppetlabs/puppet/ssl/certs/logstashxxx.pem"
    ssl_key => "/etc/puppetlabs/puppet/ssl/public_keys/logstashxxx.pem"
  }
}

filter {

#Dropping all headings
        if [message] =~ "^#" {drop {}}

#Grok parsing - Using custom patterns to account for null values.
        #ELMAH
        if [type] == "ELMAHLog" {
                 multiline {
                        pattern => "^%{TIMESTAMP_ISO8601}"
                        what => "previous"
                        negate => true
                 }
                 grok {
                        match => ["message", "(?m)(%{TIMESTAMP_ISO8601:log_timestamp})\t(?<ErrorId>(.*?))\t(?<Application>(.*?))\t(?<Host>(.*?))\t(?<Type>(.*?))\t(?<Source>(.*?))\t(?<Message>(.*?))\t(?<User>(.*?))\t(?<Status Code>(.*?))\t(?<Sequence>(.*?))\t(?<Ignored>(.*?))\t(%{GREEDYDATA:allXML})"]
                        add_tag => "ELMAH"
                 }
         }

        #Matching dates
    date {
                match => [ "log_timestamp", "ISO8601" ]
                timezone => "Etc/UCT"
        }

    #Removing timestamp field (covered by @timestamp date filter), message field (covered by allXML), and multiline tag.
    mutate {
                remove_field => ["log_timestamp"]
    }
        if [type] == "ELMAHLog" {
                mutate {
                        remove_field => ["message"]
                        remove_tag => ["multiline"]
                        }
                }
        #When the service starts, disregard any log files older than 7 days.
        ruby {
                code => "event.cancel if event.timestamp < (Time.now - (86400 * 7))"
        }
}

output {
        #Only exporting files that parsed properly.
                elasticsearch {
                        protocol => http
                        host     => "localhost"
                        port     => 9200
                }
	input {
	lumberjack {
	port => 5043
	ssl_certificate => "/etc/puppetlabs/puppet/ssl/certs/logstashxxx.pem"
	ssl_key => "/etc/puppetlabs/puppet/ssl/public_keys/logstashxxx.pem"
	}
	}

	filter {

	#Dropping all headings
	if [message] =~ "^#" {drop {}}

	#Grok parsing - Using custom patterns to account for null values.
	#ELMAH
	if [type] == "ELMAHLog" {
	multiline {
	pattern => "^%{TIMESTAMP_ISO8601}"
	what => "previous"
	negate => true
	}
	grok {
	match => ["message", "(?m)(%{TIMESTAMP_ISO8601:log_timestamp})\t(?<ErrorId>(.?))\t(?<Application>(.?))\t(?<Host>(.?))\t(?<Type>(.?))\t(?<Source>(.?))\t(?<Message>(.?))\t(?<User>(.?))\t(?<Status Code>(.?))\t(?<Sequence>(.?))\t(?<Ignored>(.?))\t(%{GREEDYDATA:allXML})"]
	add_tag => "ELMAH"
	}
	}

	#Matching dates
	date {
	match => [ "log_timestamp", "ISO8601" ]
	timezone => "Etc/UCT"
	}

	#Removing timestamp field (covered by @timestamp date filter), message field (covered by allXML), and multiline tag.
	mutate {
	remove_field => ["log_timestamp"]
	}
	if [type] == "ELMAHLog" {
	mutate {
	remove_field => ["message"]
	remove_tag => ["multiline"]
	}
	}
	#When the service starts, disregard any log files older than 7 days.
	ruby {
	code => "event.cancel if event.timestamp < (Time.now - (86400 * 7))"
	}
	}

	output {
	#Only exporting files that parsed properly.
	elasticsearch {
	protocol => http
	host => "localhost"
	port => 9200
	}