logstash.conf

input {
    syslog {
        port => "1514"
        tags => ["input_core_api_syslog"]
    }
    syslog {
        port => "1515"
        tags => ["input_mqtt_broker_syslog"]
    }
    syslog {
        port => "1516"
        tags => ["input_app_logs"]
    }
}

filter {
    if "input_core_api_syslog" in [tags] {
        grok {
            match => ["message", "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:timestamp}|-) +(?:%{HOSTNAME:heroku_drain_id}|-) +(?:%{WORD:heroku_source}|-) +(?:%{DATA:heroku_dyno}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|) +%{GREEDYDATA:heroku_message}"]
        }
        mutate { rename => ["heroku_message", "message"] }
        kv { source => "message" }
        syslog_pri { syslog_pri_field_name => "syslog5424_pri" }
    } else if "input_mqtt_broker_syslog" in [tags] {
        mutate {
            remove_field => [ "timestamp" ]
        }
    } else if "input_app_logs" in [tags] {
        mutate {
            remove_field => [ "timestamp" ]
        }
    }
}

output {
    elasticsearch { hosts => ["<aws-host>:9200"] }
}