dosomethingExternal-elasticsearch.conf

input {
  tcp { 
    type => "syslog"
    port => 3333
  }
}

filter {
  if [type] == "syslog" {
    grok {
      # See the following URL for a complete list of named patterns
      # logstash/grok ships with by default:
      # https://github.com/logstash/logstash/tree/master/patterns
      #
      # The grok filter will use the below pattern and on successful match use
      # any captured values as new fields in the event.

      # Pattern from dosomething-elasticsearch.conf is put in file /vagrant/patterns/syslog and called from this configuation file.
      patterns_dir => ["/vagrant/patterns"]
      match => [ "message", "%{DOSOMETHING}" ]
      add_tag => [ "syslog", "grokked" ]
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]    
    }
    if ("_grokparsefailure" in [tags]) {
	    mutate {
	    add_tag => [ "error" ]
	    }
    }
    date {
      # Try to pull the timestamp from the 'timestamp' field (parsed above with
      # grok). The syslog time format looks like: "Oct 20 05:44:34"
      match => { "syslog_timestamp" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ] }
    }
    
  }
}

output {
  elasticsearch {
    # Setting 'embedded' will run  a real elasticsearch server inside logstash.
    # This option below saves you from having to run a separate process just
    # for ElasticSearch, so you can get started quicker!
    embedded => true
  }
  stdout { codec => rubydebug }
}