Giters

allamiro / Linux-Scripts

Collection of a very useful Bash shell script developed by me or found on the web.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

grok

allamiro opened this issue · comments

commented

input {
file {
path => "/path/to/your/logfile.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
}

mutate {
add_field => {
"CEFVersion" => "0"
"DeviceVendor" => "YourVendor"
"DeviceProduct" => "YourProduct"
"DeviceVersion" => "YourVersion"
"DeviceEventClassId" => "YourEventID"
"Name" => "%{syslog_program}"
"Severity" => "Unknown" # Assuming a default value, you can change it according to your needs.
}
replace => { "message" => "CEF:%{CEFVersion}|%{DeviceVendor}|%{DeviceProduct}|%{DeviceVersion}|%{DeviceEventClassId}|%{Name}|%{Severity}|rt=%{syslog_timestamp} src=%{syslog_hostname} spt=%{syslog_pid} msg=%{syslog_message}" }
}
}

output {
file {
path => "/path/to/output/file"
}
}