patterns
FSM (%{WORD}-%{POSINT}-[^:]+)
SYSLOGPRI (\d{1,3})
CISCOTS %{MONTH} +%{MONTHDAY} (%{YEAR} )?%{TIME}
CISCO <%{SYSLOGPRI:syslog_pri}>(%{NONNEGINT:ciscoseq}: )?(%{NOTSPACE:hostname}: )?(\.|\*)?%{CISCOTS:timestamp}: %%{FSM:f_s_m}: %{GREEDYDATA:message}
logstash.conf
input {
file {
path => "/var/log/snmptrapd.log"
type => "syslog"
}
tcp {
type => "syslog"
port => 514
}
udp {
type => "syslog"
port => 514
}
}
filter {
if [type] == "syslog" {
if "grokked" not in [tags] {
grok {
match => [ "message", "%{SYSLOGLINE}" ]
add_tag => [ "syslog", "grokked" ]
}
}
if "grokked" not in [tags] {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [ "message", "%{CISCO}" ]
add_tag => [ "cisco", "grokked" ]
}
}
if "snmptrapd" in [program] {
mutate {
add_tag => [ "snmptrap" ]
}
}
}
if "cisco" in [tags] {
if [f_s_m] == "CDP-4-NATIVE_VLAN_MISMATCH" {
drop { }
} else if [f_s_m] == "ASA-4-106023" {
drop { }
}
syslog_pri {
}
}
if "grokked" in [tags] and "_grokparsefailure" in [tags] {
mutate {
remove_tag => [ "_grokparsefailure" ]
}
}
}
output {
if "cisco" in [tags] {
elasticsearch {
index => "logstash-cisco-%{+YYYY.MM.dd}"
}
} else if [type] == "snmptrap" or "snmptrap" in [tags] {
elasticsearch {
index => "logstash-snmp-%{+YYYY.MM.dd}"
}
} else {
elasticsearch {
index => "logstash-misc-%{+YYYY.MM.dd}"
}
}
}