input {

#You must define a [type], otherwise you cannot get a field to cut.

tcp {

port => 5045

type => "iis_mail_log"

codec => "json"

#start_position => "beginning"

}

#Configure syslog type,Collect Fortigate Firewall log

syslog {

port => 514

type => "syslog_net"

}

#Configure syslog type,the same to up.

#tcp {

# port => 5140

# type => syslog

#}

#udp {

# port => 5140

# type => "syslog"

#}

 

}

filter {

if [type] in ["iis_mail_log","iis_oa_log"]{

geoip {

source => "c-ip"

target => "geoip"

database => "/data/app/logstash-6.2.2/data/GeoLite2-City.mmdb"

fields => ["city_name","region_name","country_name"]

}

}

#Filter ldap log

if [type] == "sec_ldap_log" {

json {

source => "message"

}

if [SourceModuleName] == "seclogas" {

mutate {

replace => [ "message", "%{Message}" ]

}

mutate {

remove_field => [ "Message" ]

}

}

}

# Remove IPv6 prefix from IPAddress if not used

if [IpAddress] =~ "ffff" {

grok {

match => ["IpAddress", "^.*?\::ffff:%{GREEDYDATA:IpAddress}$"]

overwrite => ["IpAddress"]

}

}

#Identify machine accounts

if [TargetUserName] =~ /\$/ {

mutate {

add_field => { "machine" => "true" }

}

} else {

mutate {

add_field => { "machine" => "false" }

}

}

# # Extract username from email

# if [TargetUserName] =~ /\@/ {

# grok {

# match => ["TargetUserName", "%{WORD:TargetUserName}"]

# overwrite => ["TargetUserName"]

# }

# }

# Filter Fortigate firewall log

if [type] == "syslog_net" {

grok {

match => ["message","<%{POSINT:syslog_index}>%{GREEDYDATA:message}"]

overwrite => ["message"]

}

kv {

source => "message"

field_split => ","

value_split => "="

trim_value => "\""

include_keys => ["date","time","subtype","srcip","srcport","srcintf","dstip","dstport","dstintf","action","trandisp","transip","service"]

#target => "kv"

}

mutate{

add_field => ["fg_time","%{date} %{time}"]

remove_field => ["date","time"]

# rename => ["type","fg_type"]

# rename => ["subtype","fg_subtype"]

# add_field => ["type" => "syslog_net"]

#convert => ["rcvdbyte" => "interger"]

#convert => ["sentbyte" => "integer"]

}

#date {

# match => ["temp_time","yyyy-MM-dd HH:mm:ss"]

# # timezone => "UTC"

# target => "@timestamp"

#}

 

}

}

output {

if [type] == "iis_mail_log" {

#Output to redis

redis {

host => ["2.2.2.2:6379"]

key => "logstash"

data_type => "channel"

codec => "json"

}

Output to elasticasearch

elasticsearch {

action => "index"

hosts => ["1.1.2.1:9200","1.1.2.2:9200"]

index => "iis_mail_%{+YYYY-MM}"

codec => "json"

}

}

if [type] == "iis_oa_log"{

elasticsearch {

action => "index"

hosts => ["1.1.2.1:9200","1.1.2.2:9200"]

#index => "logstash-oa-access0529-%{+YYYY-MM}"

index => "iis_oa_%{+YYYY-MM}"

codec => "json"

}

}

if [type] == "syslog_net"{

elasticsearch {

action => "index"

hosts => ["1.1.2.1:9200","1.1.2.2:9200"]

index => "net_fw_%{+YYYY-MM}"

codec => "json"

}

}

}