-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathunifi.conf
20 lines (20 loc) · 2.06 KB
/
unifi.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
if "UniFiAP" in [tags] {
grok {
patterns_dir => [ "/etc/logstash/patterns" ]
match => [
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:unifi_interface}: STA %{MAC:unifi_sta_mac} %{UNIFI_EVENT_TYPE:unifi_sta_event_type}: %{GREEDYDATA:unifi_sta_event}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:unifi_interface}: %{UNIFI_EVENT_TYPE:unifi_sta_event_type} %{GREEDYDATA:unifi_sta_event}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:unifi_interface}: STA %{MAC} DRIVER: %{GREEDYDATA:unifi_sta_event} addr=%{MAC:unifi_sta_mac} %{GREEDYDATA}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:unifi_interface}: STA %{MAC:unifi_sta_mac} %{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: wevent.ubnt_custom_event\(\): %{WORD:unifi_sta_event} %{WORD:unifi_interface}: %{MAC:unifi_sta_mac} / %{IP:unifi_sta_ip}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: wevent.ubnt_custom_event\(\): %{WORD:unifi_sta_event} %{WORD:unifi_interface}: %{MAC:unifi_sta_mac} / %{INT}",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:unifi_sta_event} %{MAC:unifi_sta_mac} %{WORD:unifi_interface} \(%{GREEDYDATA:message}\)",
"message", "%{SYSLOG5424PRI}%{CISCOTIMESTAMP:timestamp}%{UNIFI_DEV_TYPE} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:message}"
]
remove_field => [ "syslog5424_pri", "@version" ]
overwrite => [ "message" ]
}
mutate {
remove_tag => [ "_grokparsefailure" ]
}
}