input { beats { port => "5044" } } filter { if "ocs" in [tags] or "hlr" in [tags] { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } if "aaa" in [tags] { grok { patterns_dir => ["/etc/logstash/patterns"] match => { "message" => [ "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{FREERADIUS_LOGTYPE:log-plugin}:%{SPACE}%{GREEDYDATA:log-message}", "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{GREEDYDATA:log-message}" ] } } } grok { patterns_dir => ["/etc/logstash/patterns"] match => { "log-message" => "IMSI\s*=\s*(%{IMSI:imsi})" } tag_on_failure => [] } date { match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS", "EEE MMM dd HH:mm:ss YYY", "EEE MMM d HH:mm:ss YYYY" ] target => "timestamp" } mutate { split => ["[host][name]", "."] } mutate { replace => ["[host][name]", "%{[host][name][0]}"] } mutate{ rename => { "[host][name]" => "hostname" } } mutate { remove_field => [ "@timestamp" ] remove_field => [ "message" ] remove_field => [ "[agent][ephemeral_id]" ] remove_field => [ "[agent][hostname]" ] remove_field => [ "[agent][id]" ] remove_field => [ "[agent][name]" ] remove_field => [ "[agent][type]" ] remove_field => [ "[agent][version]" ] remove_field => [ "[ecs][version]" ] remove_field => [ "[host][architecture]" ] remove_field => [ "[host][containerized]" ] remove_field => [ "[host][hostname]" ] remove_field => [ "[host][id]" ] remove_field => [ "[host][mac]" ] remove_field => [ "[host][os][name]" ] remove_field => [ "[host][os][codename]" ] remove_field => [ "[host][os][family]" ] remove_field => [ "[host][os][kernel]" ] remove_field => [ "[host][os][platform]" ] remove_field => [ "[host][os][version]" ] remove_field => [ "[host][os][family]" ] remove_field => [ "[host][os][kernel]" ] remove_field => [ "[log][offset]"] } } output { if "ocs" in [tags] { elasticsearch { hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"] user => "logstash_internal" password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn" ilm_enabled => true ilm_rollover_alias => "simfony-mobility-ocs-log" ilm_policy => "simfony-log-hot-warm" ilm_pattern => "{now/d}-1" } } else if "hlr" in [tags] { elasticsearch { hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"] user => "logstash_internal" password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn" ilm_enabled => true ilm_rollover_alias => "simfony-mobility-hlr-log" ilm_policy => "simfony-log-hot-warm" ilm_pattern => "{now/d}-1" } } else if "aaa" in [tags] { elasticsearch { hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"] user => "logstash_internal" password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn" ilm_enabled => true ilm_rollover_alias => "simfony-mobility-aaa-log" ilm_policy => "simfony-log-hot-warm" ilm_pattern => "{now/d}-1" } } }