add config examples for injesting

2021-10-21 22:08:34 -05:00 · 2021-10-21 22:08:34 -05:00 · 9936df5321
parent bc6e2b2594
commit 9936df5321
3 changed files with 105 additions and 0 deletions
--- a/Search-ESsearcher/logstash/conf.d/beats.conf
+++ b/Search-ESsearcher/logstash/conf.d/beats.conf
@ -0,0 +1,70 @@
+input {
+  beats {
+    host => "192.168.14.3"
+    port => 5044
+    type => "beats"
+  }
+}
+
+filter {
+    if [type] == "beats" {
+        mutate {
+            remove_field => [ "[host]" ]
+        }
+        mutate {
+            add_field => {
+                "host" => "%{[beat][hostname]}"
+            }
+        }
+    }
+
+    if [fields][log] == "fail2ban" {
+                grok {
+                        match => {
+                            "message" => "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_src}.%{WORD:src_action} *\[%{INT:fail2ban_digit}\]: %{LOGLEVEL:loglevel} *\[%{NOTSPACE:service}\] %{WORD:b
+an_status} %{IP:clientip}"
+                        }
+                }
+                geoip {
+                        source => "clientip"
+                }
+                mutate {
+                        convert => [ "[geoip][coordinates]", "float" ]
+                }
+    }
+
+    if [fields][log] == "apache-access" {
+                grok {
+                        match => {
+                                "message" => "%{HTTPD_COMBINEDLOG}+%{GREEDYDATA:extra_fields}"
+                        }
+                        overwrite => [ "message" ]
+                }
+
+                mutate {
+                        convert => ["response", "integer"]
+                        convert => ["bytes", "integer"]
+                        convert => ["responsetime", "float"]
+                }
+                geoip {
+                        source => "clientip"
+                        target => "geoip"
+                        add_tag => [ "apache-geoip" ]
+                }
+                date {
+                        match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
+                        remove_field => [ "timestamp" ]
+                }
+                useragent {
+                        source => "agent"
+                }
+    }
+}
+
+output {
+  if [type] == "beats" {
+    elasticsearch {
+      hosts => [ "127.0.0.1:9200" ]
+    }
+  }
+}
--- a/Search-ESsearcher/logstash/conf.d/rsyslog.conf
+++ b/Search-ESsearcher/logstash/conf.d/rsyslog.conf
@ -0,0 +1,18 @@
+input {
+  udp {
+    host => "192.168.14.3"
+    port => 10514
+    codec => "json"
+    type => "rsyslog"
+  }
+}
+
+filter { }
+
+output {
+  if [type] == "rsyslog" {
+    elasticsearch {
+      hosts => [ "127.0.0.1:9200" ]
+    }
+  }
+}
--- a/Search-ESsearcher/logstash/conf.d/syslog.conf
+++ b/Search-ESsearcher/logstash/conf.d/syslog.conf
@ -0,0 +1,17 @@
+input {
+  syslog {
+    host => "192.168.14.3"
+    port => 11514
+    type => "syslog"
+  }
+}
+
+filter { }
+
+output {
+  if [type] == "syslog" {
+    elasticsearch {
+      hosts => [ "127.0.0.1:9200" ]
+    }
+  }
+}