sirhopcount/gist:7afb6fdc9ac68ae4d009

## gistfile1.txt
  grep {
    type => "syslog"
    match => [ "syslog_program", "drupal" ]
    add_tag => "Drupal"
    drop => false
  }
  grok {
    type => "syslog"
    tags => [ "Drupal" ]
    match => [ "@message", "^https?://%{HOSTNAME:drupal_vhost}\|%{NUMBER:drupal_timestamp}\|(?<drupal_action>[^\|]*)\|%{IP:drupal_ip}\|(?<drupal_request_uri>[^\|]*)\|(?<drupal_referer>[^\|]*)\|(?<drupal_uid>[^\|]*)\|(?<drupal_link>[^\|]*)\|(?<drupal_message>.*)" ]
  }
	grep {
	type => "syslog"
	match => [ "syslog_program", "drupal" ]
	add_tag => "Drupal"
	drop => false
	}
	grok {
	type => "syslog"
	tags => [ "Drupal" ]
	match => [ "@message", "^https?://%{HOSTNAME:drupal_vhost}\\|%{NUMBER:drupal_timestamp}\\|(?<drupal_action>[^\\|])\\|%{IP:drupal_ip}\\|(?<drupal_request_uri>[^\\|])\\|(?<drupal_referer>[^\\|])\\|(?<drupal_uid>[^\\|])\\|(?<drupal_link>[^\\|])\\|(?<drupal_message>.)" ]
	}