rossigee/custom_parsers.conf

## custom_parsers.conf
[PARSER]
    Name        ubuntu-syslog-with-pid
    Format      regex
    Regex       /^(?<timestamp>\S+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s(?<process>\S+)\[(?<pid>\d+)\]:\s(?<message>.*)$/
    Time_Key    time
    Time_Format %b %d %H:%M:%S
    Time_Keep   On

[PARSER]
    Name        ubuntu-syslog-without-pid
    Format      regex
    Regex       /^(?<timestamp>\S+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s(?<process>\S+):\s(?<message>.*)$/
    Time_Key    time
    Time_Format %b %d %H:%M:%S
    Time_Keep   On

[PARSER]
    Name        ubuntu-auth
    Format      regex
    Regex       /^(?<timestamp>\d+-\d+\s+\d+:\d+:\d+)\s+(?<message>.*)$/
    Time_Key    timestamp
    Time_Format %Y-%m-%d %H:%M:%S
    Time_Keep   On

## fluent-bit.conf
[INPUT]
    Name          tail
    Path          /var/log/syslog
    Tag           system.syslog
    Parser        ubuntu-syslog-with-pid

[INPUT]
    Name          tail
    Path          /var/log/auth.log
    Tag           system.auth
    Parser        ubuntu-syslog-with-pid

[INPUT]
    Name          tail
    Path          /var/log/dpkg.log
    Tag           system.dpkg
    Parser        ubuntu-dpkg

# Catch entries without the pid in brackets
[FILTER]
    Name          parser
    Match         system.syslog
    Key_Name      log
    Parser        ubuntu-syslog-without-pid

[FILTER]
    Name          parser
    Match         system.auth
    Key_Name      log
    Parser        ubuntu-syslog-without-pid
	[PARSER]
	Name ubuntu-syslog-with-pid
	Format regex
	Regex /^(?<timestamp>\S+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s(?<process>\S+)\[(?<pid>\d+)\]:\s(?<message>.*)$/
	Time_Key time
	Time_Format %b %d %H:%M:%S
	Time_Keep On

	[PARSER]
	Name ubuntu-syslog-without-pid
	Format regex
	Regex /^(?<timestamp>\S+\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s(?<hostname>\S+)\s(?<process>\S+):\s(?<message>.*)$/
	Time_Key time
	Time_Format %b %d %H:%M:%S
	Time_Keep On

	[PARSER]
	Name ubuntu-auth
	Format regex
	Regex /^(?<timestamp>\d+-\d+\s+\d+:\d+:\d+)\s+(?<message>.*)$/
	Time_Key timestamp
	Time_Format %Y-%m-%d %H:%M:%S
	Time_Keep On
	[INPUT]
	Name tail
	Path /var/log/syslog
	Tag system.syslog
	Parser ubuntu-syslog-with-pid

	[INPUT]
	Name tail
	Path /var/log/auth.log
	Tag system.auth
	Parser ubuntu-syslog-with-pid

	[INPUT]
	Name tail
	Path /var/log/dpkg.log
	Tag system.dpkg
	Parser ubuntu-dpkg

	# Catch entries without the pid in brackets
	[FILTER]
	Name parser
	Match system.syslog
	Key_Name log
	Parser ubuntu-syslog-without-pid

	[FILTER]
	Name parser
	Match system.auth
	Key_Name log
	Parser ubuntu-syslog-without-pid