#
# Generated by Chef
#
# Assumptions:
#  This indexer is running on a netsyslog server.
#  A local instance of elasticsearch is running
#  Kibana recipe takes care of this.. It is not required, but currently intended.
#

input {
  file {
    start_position => "beginning"
    type => "netscaler"
    path => [ "/opt/log/remote-bytype/netscaler*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "comware"
    path => [ "/opt/log/remote-bytype/comware*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "arbor"
    path => [ "/opt/log/remote-bytype/arbor*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "tippingpt"
    path => [ "/opt/log/remote-bytype/tippingpt*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "vpn"
    path => [ "/opt/log/remote-bytype/vpn*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "apigee"
    path => [ "/opt/log/remote-bytype/apigee*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "firewall"
    path => [ "/opt/log/remote-bytype/firewall*" ]
    exclude => "*.bz2"
  }
  file {
    start_position => "beginning"
    type => "misc"
    path => [ "/opt/log/remote-bytype/misc*" ]
    exclude => "*.bz2"
  }
}

filter {
  #patterns that apply to all messages
  grok {
    match => [ "message", "^%{TIMESTAMP_ISO8601:syslog_timestamp}%{SPACE}%{SPACE}%{DATE_US}:%{SPACE}%{TIME}%{SPACE}GMT%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
    match => [ "message", "^%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{SPACE}%{DATE_US}:%{SPACE}%{TIME}%{SPACE}GMT%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
    # Comware
    match => [ "message", "^%{TIMESTAMP_ISO8601:syslog_timestamp}%{SPACE}%{YEAR}%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
    match => [ "message", "^%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{YEAR}%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
    # Juniper/regular device logs
    match => [ "message", "^%{TIMESTAMP_ISO8601:syslog_timestamp}%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
    match => [ "message", "^%{SYSLOGTIMESTAMP:syslog_timestamp}%{SPACE}%{SYSLOGHOST:syslog_hostname}%{SPACE}%{GREEDYDATA:syslog_message}" ]
  }
  #convert date to the date in the logfile, not time of index
  date {
    match => [ "syslog_timestamp", "MMM dd HH:mm:ss YYYY", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "ISO8601" ]
  }
  #replace source host with syslog line hostname instead of index host
  #remove timestamp, host information from @message
  if !("_grokparsefailure" in [tags]) {
    mutate {
      replace => [ "@source_host", "%{syslog_hostname}" ]
      replace => [ "@message", "%{syslog_message}" ]
    }
  }
  #remove extra fields
  mutate {
    remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
  }
  # type specific filters
  if [type] == "tippingpt" {
    grok {
      #tippingpoint sms alerts
      match => [ "@message", "^%{INT:actionType},%{INT:severity},%{DATA:policyUUID},%{DATA:signatureUUID},%{DATA:filterName},%{INT:signatureNumber},%{DATA:protocol},%{IP:srcAddress},%{INT:srcPort},%{IP:dstAddress},%{INT:dstPort},%{INT:hitCount},%{DATA:srcZone},%{DATA:dstZone},%{INT:physPort},%{INT:vlan},%{DATA:deviceName},%{INT:taxonomyID},%{INT:eventTimestamp},%{DATA:msgParameters},%{INT:eventID}" ]
    }
  } else if [type] == "netscaler" {
    grok {
      #netscaler svc event up/down
      match => [ "@message", "^EVENT %{DATA:event_type} %{INT} %{INT} :  Device \"server_svc_cfg_%{DATA:svc_type}_%{IP:svc_address}:%{INT:svc_port}\(%{DATA:svc_name}\)\" - State (UP|DOWN)" ]
      #netscaler vip event up/down
      match => [ "@message", "^EVENT %{DATA:event_type} %{INT} %{INT} :  Device \"server_vip_NSSVC_(TCP|UDP)_%{IP:vip_address}:%{INT:vip_port}\(%{DATA:vip_name}\)\" - State (UP|DOWN)" ]
    }
  } else if [type] == "vpn" {
    grok {
      #vpn login/logouts
      match => [ "@message", "^\[%{IP:sourceIP}\] %{DATA:userName}\(%{DATA:authMechanism}\)\[%{DATA:userGroups}\] - VPN Tunneling: Session %{WORD:sessionType} for user with IP %{IP:client_ip}" ]
      #more generic line that should match all logs so that we get no _grokparsefailures
      match => [ "@message", "^\[%{IP:sourceIP}\] %{DATA:userName}\(%{DATA:authMechanism}\)\[%{DATA:userGroups}\] - " ]
    }
  }#end type specific filters
}#end filter

output {
   elasticsearch {
     cluster => "net_es_rdd"
     #protocol => "http"
     #host => "127.0.0.1"
   }
}
