카테고리 : IT2/elk stack buytime | 2023. 2. 2. 01:11
[INPUT] input { syslog { port => 9401 grok_pattern => "%{GREEDYDATA:message}" } } [FILTER] filter { mutate { gsub => ["message","\n",""] remove_field => ["severity","priority"] } dissect { mapping => { "message" => "1 %{syslogtime} [%{[event][type]}] [%{from_ip}]%{msg}" } } if [event][type] == "audit" { mutate { split => ["msg",","] add_field => { "time" => "%{[msg][0]}" "machine_name" => "%{[ms..
