# intake.conf input { pipeline { address => "Simfony_Mobility_Logs" } } filter { if "ocs" in [tags] { clone { clones => ["notification-ocs"] add_tag => [ "notification-ocs" ] } grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } if "notification-ocs" in [tags] { # ruby { # code => 'puts "Input rule matched: contains ocs-notification-v1"' # } if [message] =~ /\[OCS-NOTIFICATION\]/ { # Keep only lines containing "notification-v1" if [message] =~ /v2_simfony|v2_advancedtracking|v2_zariot|v2_v2_alwaysconnected|v2_ulink|v2_ipvisie|v2_ip3labs|v2_aec_skyline|v2_mondicon|v2_peoplefone_deu/ { # simfony mutate { add_tag => ["notification_simfony"] } } else if [message] =~ /v2_ibasis_ibasis|v2_ibasis_sales_demo|v2_combonet|v2_global_operator|v2_imatrixsys|v2_v2_business_iot|v2_infisim|v2_thinglabs|v2_athalos|v2_pkcloud|v2_fidenty/ { # ibasis mutate { add_tag => ["notification_ibasis"] } } } else { drop {} # Drop all other lines } } } else if "diameter" in [tags] { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } else if "hlr" in [tags] { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } else if "dra" in [tags] { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } else if "hss" in [tags] { grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } else if "aaa" in [tags] { clone { clones => ["notification-aaa"] add_tag => [ "notification-aaa" ] } grok { patterns_dir => ["/etc/logstash/patterns"] match => { "message" => [ "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{FREERADIUS_LOGTYPE:log-plugin}:%{SPACE}%{GREEDYDATA:log-message}", "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{GREEDYDATA:log-message}" ] } } if "notification-aaa" in [tags] { if [message] =~ /notification-v1/ { # Keep only lines containing "notification-v1" if [message] =~ /v2_simfony|v2_advancedtracking|v2_zariot|v2_v2_alwaysconnected|v2_ulink|v2_ipvisie|v2_ip3labs|v2_aec_skyline|v2_mondicon|v2_peoplefone_deu/ { # simfony mutate { add_tag => ["notification_simfony"] } } else if [message] =~ /v2_ibasis_ibasis|v2_ibasis_sales_demo|v2_combonet|v2_global_operator|v2_imatrixsys|v2_v2_business_iot|v2_infisim|v2_thinglabs|v2_athalos|v2_pkcloud|v2_fidenty/ { # ibasis mutate { add_tag => ["notification_ibasis"] } } } else { drop {} # Drop all other lines } } } else if "meveo" in [tags] { grok { match => { "message" => "%{TIME:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}\[%{DATA:issuer}\]%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" } } } }