logstash/conf.d/old_pipelines/pipeline-log.conf

input {
    beats {
        port => "5044"
    }
}

filter {

  if "ocs" in [tags] or "hlr" in [tags] {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:log-level}%{SPACE}%{DATA:issuer}%{SPACE}\(%{DATA:pool}\)%{SPACE}%{GREEDYDATA:log-message}" }
    }
  }
  if "aaa" in [tags] {
    grok {
      patterns_dir => ["/etc/logstash/patterns"]
      match => { 
        "message" => [
         "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{FREERADIUS_LOGTYPE:log-plugin}:%{SPACE}%{GREEDYDATA:log-message}",
         "%{FREERADIUS_DATE:timestamp}%{SPACE}:%{SPACE}%{FREERADIUS_LOGTYPE:log-level}:%{SPACE}%{GREEDYDATA:log-message}"
        ] 
      }
   } 
  }
  grok {
    patterns_dir => ["/etc/logstash/patterns"]
    match => {
      "log-message" => "IMSI\s*=\s*(%{IMSI:imsi})"
      }
    tag_on_failure => []
  } 
  date {
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS", "EEE MMM dd HH:mm:ss YYY", "EEE MMM  d HH:mm:ss YYYY" ]
    target => "timestamp"
  }
  mutate {
    split => ["[host][name]", "."]
  }
  mutate {
    replace => ["[host][name]", "%{[host][name][0]}"]
  }
  mutate{
    rename => { "[host][name]" => "hostname" }
  }
  mutate {
    remove_field => [ "@timestamp" ]
    remove_field => [ "message" ]
    remove_field => [ "[agent][ephemeral_id]" ]
    remove_field => [ "[agent][hostname]" ]
    remove_field => [ "[agent][id]" ]
    remove_field => [ "[agent][name]" ]
    remove_field => [ "[agent][type]" ]
    remove_field => [ "[agent][version]" ]
    remove_field => [ "[ecs][version]" ]
    remove_field => [ "[host][architecture]" ]
    remove_field => [ "[host][containerized]" ]
    remove_field => [ "[host][hostname]" ]
    remove_field => [ "[host][id]" ]
    remove_field => [ "[host][mac]" ]
    remove_field => [ "[host][os][name]" ]
    remove_field => [ "[host][os][codename]" ]
    remove_field => [ "[host][os][family]" ]
    remove_field => [ "[host][os][kernel]" ]
    remove_field => [ "[host][os][platform]" ]
    remove_field => [ "[host][os][version]" ]
    remove_field => [ "[host][os][family]" ]
    remove_field => [ "[host][os][kernel]" ]
    remove_field => [ "[log][offset]"]
  }
}

output { 
  if "ocs" in [tags] {
    elasticsearch {
      hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"]
      user => "logstash_internal"
      password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn"
      ilm_enabled => true
      ilm_rollover_alias => "simfony-mobility-ocs-log"
      ilm_policy => "simfony-log-hot-warm"
      ilm_pattern => "{now/d}-1"
    }
  } else if "hlr" in [tags] {
    elasticsearch {
      hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"]
      user => "logstash_internal"
      password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn"
      ilm_enabled => true
      ilm_rollover_alias => "simfony-mobility-hlr-log"
      ilm_policy => "simfony-log-hot-warm"
      ilm_pattern => "{now/d}-1"
    }
  } else if "aaa" in [tags] {
    elasticsearch {
      hosts => ["http://10.12.174.15:9200","http://10.12.174.16:9200","http://10.12.174.17:9200"]
      user => "logstash_internal"
      password => "vK54tBEFUZaKBVtwsmlHksbr07Rm8cTn"
      ilm_enabled => true
      ilm_rollover_alias => "simfony-mobility-aaa-log"
      ilm_policy => "simfony-log-hot-warm"
      ilm_pattern => "{now/d}-1"
    }
  }
}