logstash-indexer_NAT.conf

# Example of extending the syslog filters for a specific syslog format.
# This example matches the NAT logs on my linux firewalls.
# Slip this into the logstash-indexer.conf just before the filter stanza is closed.


  grep {
    type => "syslog"
    match => ["@message","^RULE"]
    add_tag => "is_Linux_NAT"
    drop => false
  }
        kv {
                type => "syslog"
                tags => [ "is_Linux_NAT" ]
                prefix => "nat_"
        }
  grok {
    type => "syslog"
    tags => [ "is_Linux_NAT" ]
    pattern => [ "^RULE %{NUMBER:nat_Rule} -- %{DATA:nat_Action} %{GREEDYDATA:message_remainder}" ]
  }
  mutate {
    type => "syslog"
    tags => [ "is_Linux_NAT" ]
    replace => [ "@message", "NAT - %{nat_Action} -- %{nat_SRC}:%{nat_SPT} -> %{nat_DST}:%{nat_DPT}" ]
  }
  mutate {
    # XXX must not be combined with replacement which uses same field
    type => "syslog"
    tags => [ "is_Linux_NAT" ]
    remove => [ "message_remainder" ]
  }