cookbooks/ss_logstash/files/default/logstash.conf

input {
  udp {
    port => 5656
    codec => netflow
    type => netflow
  }
  udp {
    port => 5005
    tags => ["udp"]
    type => sensorData
  }
  udp {
    port => 5657
    tags => ["udp"]
    type => draytekSyslog
  }
  syslog {
    port => 5658
    tags => ["syslog"]
    type => debianSyslog
  }
}

filter {
  if [type] == "netflow" {
    mutate {
      add_field => {"dstip" => "%{[netflow][ipv4_dst_addr]}"}
      add_field => {"srcip" => "%{[netflow][ipv4_src_addr]}"}
    }
    geoip {
      add_tag => [ "GeoIPDst" ]
      source => "dstip"
      target => "geoipdst"
    }
    geoip {
      add_tag => [ "GeoIPSrc" ]
      source => "srcip"
      target => "geoipsrc"
    }
    dns {
      add_tag => [ "DNSResolvDst" ]
      reverse => [ "dstip" ]
      action => "replace"
    }
    dns {
      add_tag => [ "DNSResolvSrc" ]
      reverse => [ "srcip" ]
      action => "replace"
    }
  }
  if [type] == "sensorData" {
    json {
      add_tag => [ "sensorData" ]
      source => "message"
    }
  }

  if [type] == "draytekSyslog" {
    grok {
      match => ["message", "<%{INT:id}>%{SYSLOGTIMESTAMP} %{WORD:deviceName}: %{DATA:user} \(MAC=%{MAC}\): %{IP:source}:%{POSINT:sPort} -> %{IP:destination}:%{POSINT:dPort} \(%{WORD:protocol}\)"]
      match => ["message", "<%{INT:id}>%{SYSLOGTIMESTAMP} %{WORD:deviceName}: %{DATA:user}: %{IP:source}:%{POSINT:sPort} -> %{IP:destination}:%{POSINT:dPort} \(%{WORD:protocol}\) %{GREEDYDATA:action}"]
      match => ["message", "<%{INT:id}>%{SYSLOGTIMESTAMP} %{WORD:deviceName}: %{DATA:user}: %{WORD:interface}: Tx %{INT:tKbps30} Kbps, Rx %{INT:rKbps30} Kbps \(30 min"]
      match => ["message", "<%{INT:id}>%{SYSLOGTIMESTAMP} %{WORD:deviceName}: %{DATA:user}: %{WORD:interface}: Tx %{INT:tKbps5} Kbps, Rx %{INT:rKbps5} Kbps \(5 min"]
      match => ["message", "<%{INT:id}>%{SYSLOGTIMESTAMP} %{WORD:deviceName}:"]
    }

    geoip {
      add_tag => [ "GeoIPSyslog" ]
      source => "destination"
    }

    dns {
      add_tag => [ "DNSResolvDest" ]
      reverse => [ "destination" ]
      action => "replace"
    }

    dns {
      add_tag => [ "DNSResolvSource" ]
      reverse => [ "source" ]
      action => "replace"
    }

    mutate {
      convert => [ "tKbps5", "integer" ]
      convert => [ "rKbps5", "integer" ]
      convert => [ "tKbps30", "integer" ]
      convert => [ "rKbps30", "integer" ]
      convert => [ "timeAvg", "integer" ]
      convert => [ "dPort", "integer" ]
      convert => [ "sPort", "integer" ]
    }
  }
}


output {
  stdout {}
  elasticsearch {
    host => "127.0.0.1"
    protocol => "http"
  }
}