viq/indexer.conf

## indexer.conf
input {
  zeromq {
    type => "zeromq-type"
    mode => "server"
    topology => "pubsub"
    address => "tcp://0.0.0.0:2021"
    format => "json_event"
  }
}

input {
  tcp {
    host => "127.0.0.1"
    port => "2514"
    type => "syslog"
    #format => "json"
  }
  udp {
    host => "127.0.0.1"
    port => "2514"
    type => "syslog"
    #format => "json"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\]?)?:? %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
    }
    syslog_pri { }
    date {
      match => { "syslog_timestamp" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ] }
    }
    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "@source_host", "%{syslog_hostname}" ]
        replace => [ "@message", "%{syslog_message}" ]
      }
    }
    mutate {
      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
    }
    grep {
      match => [ "syslog_program", "sshd" ]
      add_tag => [ "sshd" ]
      drop => false
    }
    grep {
      match => [ "syslog_program", "sudo" ]
      add_tag => [ "sudo" ]
      drop => false
    }
    grep {
      match => [ "message", "pam_unix" ]
      add_tag => [ "pam" ]
      remove_tag => [ "sudo", "sshd" ]
      drop => false
    }
  }
  if "sshd" in [tags] {
    grok {
      match => [ "message", "Accepted %{WORD:ssh_auth_method} for %{USER:ssh_user} from %{IP:ssh_src_ip} port %{INT:ssh_src_port} ssh2" ]
      add_tag => "ssh_login_success"
    }
    grok {
      match => [ "message", "Received disconnect from %{IP:ssh_src_ip}: %{GREEDYDATA:ssh_disconnect_reason}" ]
      add_tag => "ssh_disconnect"
    }
  }
  if "sudo" in [tags] {
    grok {
      match => [ "message", "%{WORD:sudo_user} : TTY=%{DATA:sudo_terminal} ; PWD=%{DATA:sudo_pwd} ; USER=%{WORD:sudo_run_as} ; COMMAND=%{GREEDYDATA:sudo_command}" ]
    }
  }
}

output {
  stdout {
    debug => true
  }
  elasticsearch {
    cluster => "{{ salt['pillar.get']('logstash:cluster_name') }}"
    host => "127.0.0.1"
  }
}
	input {
	zeromq {
	type => "zeromq-type"
	mode => "server"
	topology => "pubsub"
	address => "tcp://0.0.0.0:2021"
	format => "json_event"
	}
	}

	input {
	tcp {
	host => "127.0.0.1"
	port => "2514"
	type => "syslog"
	#format => "json"
	}
	udp {
	host => "127.0.0.1"
	port => "2514"
	type => "syslog"
	#format => "json"
	}
	}

	filter {
	if [type] == "syslog" {
	grok {
	match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\]?)?:? %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	}
	syslog_pri { }
	date {
	match => { "syslog_timestamp" => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] }
	}
	if !("_grokparsefailure" in [tags]) {
	mutate {
	replace => [ "@source_host", "%{syslog_hostname}" ]
	replace => [ "@message", "%{syslog_message}" ]
	}
	}
	mutate {
	remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
	}
	grep {
	match => [ "syslog_program", "sshd" ]
	add_tag => [ "sshd" ]
	drop => false
	}
	grep {
	match => [ "syslog_program", "sudo" ]
	add_tag => [ "sudo" ]
	drop => false
	}
	grep {
	match => [ "message", "pam_unix" ]
	add_tag => [ "pam" ]
	remove_tag => [ "sudo", "sshd" ]
	drop => false
	}
	}
	if "sshd" in [tags] {
	grok {
	match => [ "message", "Accepted %{WORD:ssh_auth_method} for %{USER:ssh_user} from %{IP:ssh_src_ip} port %{INT:ssh_src_port} ssh2" ]
	add_tag => "ssh_login_success"
	}
	grok {
	match => [ "message", "Received disconnect from %{IP:ssh_src_ip}: %{GREEDYDATA:ssh_disconnect_reason}" ]
	add_tag => "ssh_disconnect"
	}
	}
	if "sudo" in [tags] {
	grok {
	match => [ "message", "%{WORD:sudo_user} : TTY=%{DATA:sudo_terminal} ; PWD=%{DATA:sudo_pwd} ; USER=%{WORD:sudo_run_as} ; COMMAND=%{GREEDYDATA:sudo_command}" ]
	}
	}
	}

	output {
	stdout {
	debug => true
	}
	elasticsearch {
	cluster => "{{ salt['pillar.get']('logstash:cluster_name') }}"
	host => "127.0.0.1"
	}
	}