logstash/conf.d/110-sanitize-simfony-network-log.conf

# sanitize-simfony-network-log.conf

#input { pipeline { address => "sanitize-simfony-netork-log" } }

filter {

  grok {
    patterns_dir => ["/etc/logstash/patterns"]
    match => {
      "log-message" => "IMSI\s*=\s*(%{IMSI:imsi})"
      }
    tag_on_failure => []
  }
  
  date {
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS", "ISO8601", "EEE MMM dd HH:mm:ss YYY", "EEE MMM  d HH:mm:ss YYYY"]
    target => "timestamp"
  }
  
  mutate {
    split => ["[host][name]", "."]
    replace => ["[host][name]", "%{[host][name][0]}"]
    rename => { "[host][name]" => "hostname" }
  }

  mutate {
    remove_field => [ "@timestamp" ]
    remove_field => [ "message" ]
    remove_field => [ "[agent]" ]
    remove_field => [ "[ecs][version]" ]
    remove_field => [ "[host][architecture]" ]
    remove_field => [ "[host][containerized]" ]
    remove_field => [ "[host][hostname]" ]
    remove_field => [ "[host][name]" ]
    remove_field => [ "[host][id]" ]
    remove_field => [ "[host][mac]" ]
    remove_field => [ "[host][os][name]" ]
    remove_field => [ "[host][os][codename]" ]
    remove_field => [ "[host][os][family]" ]
    remove_field => [ "[host][os][kernel]" ]
    remove_field => [ "[host][os][platform]" ]
    remove_field => [ "[host][os][version]" ]
    remove_field => [ "[host][os][family]" ]
    remove_field => [ "[host][os][kernel]" ]
    remove_field => [ "[log][offset]"]
  }
}

#output { pipeline { send_to => "output-simfony-network-log" } }