-
Notifications
You must be signed in to change notification settings - Fork 268
/
Copy pathlogstash_parserFF.grok
81 lines (81 loc) · 1.72 KB
/
logstash_parserFF.grok
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
input {
tcp {
port=>1337
type=>"irscript"
codec=>"json"
}
}
filter {
if [type]=~ /heartbeat/ {
} else {
json {
source => "message"
}
mutate {
# Rename field A to field B
rename => { "Source Host" => "shost" }
rename => { "host" => "src" }
rename => { "Document Path" => "filePath" }
rename => { "_id" => "fileId" }
rename => { "filename" => "fname" }
}
if [sourceScript] == "kansa.ps1" {
grok {
add_tag => [ "kansa" ]
}
}
else {
grok {
add_tag => [ "notkansa" ]
}
}
if [tags] =~ "notkansa" {
drop {}
}
if [KansaModule] {
mutate {
add_field => {"tempmodule" => "%{KansaModule}"}
}
mutate {
split => { "tempmodule" => "." }
}
mutate {
lowercase => ["tempmodule"]
}
mutate {
add_field => {"truncmodulename" => "%{tempmodule[0]}"}
remove_field => ["tempmodule"]
}
}
if [ModuleStatus] {
mutate {
add_tag => [ "telemetry" ]
}
}
if [Message] == "FireForget Kansa module launched on endpoint" {
mutate {
add_tag => [ "telemetry" ]
}
}
}
}
output {
if "telemetry" in [tags] {
elasticsearch {
hosts => ["elasticserver01:9200"] #specify array of ELK servers
user => "logstash"
password => "123456" #specify your ELK API password
flush_size=>1000
index => "logstash-kansatelemetry-%{+YYYY.MM.dd}"
}
} else {
elasticsearch {
hosts => ["elasticserver01:9200"] #specify array of ELK servers
user => "logstash"
password => "123456" #specify your ELK API password
flush_size=>1000
index => "logstash-%{truncmodulename}-%{+YYYY.MM}"
}
}
# stdout{codec=>"rubydebug"}
}