ELK

patterns

FSM (%{WORD}-%{POSINT}-[^:]+)
SYSLOGPRI (\d{1,3})
CISCOTS %{MONTH} +%{MONTHDAY} (%{YEAR} )?%{TIME}
CISCO <%{SYSLOGPRI:syslog_pri}>(%{NONNEGINT:ciscoseq}: )?(%{NOTSPACE:hostname}: )?(\.|\*)?%{CISCOTS:timestamp}: %%{FSM:f_s_m}: %{GREEDYDATA:message}

logstash.conf

input {
#  snmptrap {
#    type => "snmptrap"
#    port => 162
#    community => ["Public","public"]
#  }

  file {
      path => "/var/log/snmptrapd.log"
      type => "syslog"
  }

  tcp {
      type => "syslog"
      port => 514
  }
  udp {
      type => "syslog"
      port => 514
  }
}

filter {
  if [type] == "syslog" {
      if "grokked" not in [tags] {
        grok {
            match => [ "message", "%{SYSLOGLINE}" ]
            add_tag => [ "syslog", "grokked" ]
        }
      }

    if "grokked" not in [tags] {
       grok {
          patterns_dir => ["/etc/logstash/patterns"]
          match => [ "message", "%{CISCO}" ]
          add_tag => [ "cisco", "grokked" ]
       }
     }

    if "snmptrapd" in [program] {
       mutate {
         add_tag => [ "snmptrap" ]
       }
    }
  }

  if "cisco" in [tags] {
      if [f_s_m] == "CDP-4-NATIVE_VLAN_MISMATCH" {
          drop { }
      } else if [f_s_m] == "ASA-4-106023" {
          drop { }
      }

      syslog_pri {
      }
  }

  if "grokked" in [tags] and "_grokparsefailure" in [tags] {
      mutate {
          remove_tag => [ "_grokparsefailure" ]
      }
  }

}

output {
  if "cisco" in [tags] {
       elasticsearch {
          index => "logstash-cisco-%{+YYYY.MM.dd}"
        } 
    } else if [type] == "snmptrap" or "snmptrap" in [tags] {
       elasticsearch {
          index  => "logstash-snmp-%{+YYYY.MM.dd}"
       }
    } else {
       elasticsearch {
          index => "logstash-misc-%{+YYYY.MM.dd}"
        }
    }
}