logstash.conf

gistfile1.txt

input {
stdin { }
}

filter {
grok {
                match => [ "message", "<(?<ruleID>.*)>(?<msg>.*)" ]
                add_tag => "grok"
  }
  kv { source => "msg" }
  mutate {
   replace => ["date", "%{date} %{time}" ]
  }

date{
      match => [ "date", "yyyy-MM-dd HH:mm:ss" ]
    }
}
output {
stdout {
codec => rubydebug
}
}


filter {
        if "mail" in [type] and "maillog" in [source] {
                grok {
                    match => ["message","%{CISCOTIMESTAMP:mail_date} %{DATA:server_name} %{DATA:service}/%{DATA:process}\[%{DATA:pid}\]:",
                              "message","%{CISCOTIMESTAMP:mail_date} %{DATA:server_name} %{DATA:service}\[%{DATA:pid}\]:"]
                    break_on_match => true
                }

                date {
                    match => ["mail_date", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
                }
        }
}


grok {
              match => [ "message", "%{TIMESTAMP_ISO8601:date} %{SYSLOGHOST:host} Oracle Audit\[%{POSINT}\]: LENGTH: \"%{POSINT}\"\s(?<msg>.*)" ]
                add_tag => "grok"
  }
  kv {
     source => "msg"
     value_split => " "
}


  mutate {
   replace => ["date", "%{date} %{time}" ]
  }