-
Notifications
You must be signed in to change notification settings - Fork 0
/
test.bak2
63 lines (58 loc) · 3.12 KB
/
test.bak2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Take Input from SCCM App Logs
# Start at beginning of file
input {
beats {
port => 5044
codec => multiline
{
pattern => "^\s"
what => "previous"
}
}
}
filter {
if [type] == "sccmlog" {
grok {
# Match 1 - ActionType -
match => { "message" => '^\A<!\[LOG\[ ActionType - %{WORD:action_type} will use Content Id: %{NOTSPACE:content_id} \+ Content Version: %{INT:content_version} for AppDT %{QUOTEDSTRING:deployment_type_name} \[%{EMAILLOCALPART:deployment_type_id}], Revision - %{INT:app_revision}]LOG]!><time="%{TIME:time}(\+|\-)([0-9])?([0-9])?([0-9])?" date="%{DATE:date}" component="%{WORD:component}" context="" type="%{INT:type}" thread="%{INT:thread}" file="%{HOSTNAME:filename}:%{INT:fileline}">$'}
# Match 2 - Discovered application
match => {"message" => '^\A<!\[LOG\[\+\+\+ %{CISCO_REASON:action_type}\[AppDT Id: %{USERNAME:scope_id}/%{USERNAME:deployment_type_id}, Revision: %{INT:app_revision}]]LOG]!><time="%{TIME:time}(\+|\-)([0-9])?([0-9])?([0-9])?" date="%{DATE:date}" component="%{WORD:component}" context="" type="%{INT:type}" thread="%{INT:thread}" file="%{HOSTNAME:filename}:%{INT:fileline}">$'}
# Match - Detected AppDeployment in AppDiscovery
match => { "message" => '^\A<!\[LOG\[\+\+\+ (?<action_type>(?:(?!type).)*)type (?<deployment_type_name>[^(]*)\((?<deployment_type_id>[^,]*), revision %{INT:deployment_type_revision}\) for [^\]]*]LOG]!\><time="%{TIME:time}(\+|\-)([0-9])?([0-9])?([0-9])?" date="%{DATE:date}" component="%{WORD:component}" context="" type="%{INT:type}" thread="%{INT:thread}" file="%{HOSTNAME:filename}:%{INT:fileline}">$' }
# Match 3 - General SCCM Single Line Log Entry
# Confirmed working for all lines in following logs :
# AppDiscovery.log
# AppIntentEval.log
# Partially working for the following logs :
# CAS.log (Some multiline entries)
# ContentTransferManager.log (Some multiline entries)
# DataTransferService.log (Some multiline entries)
# Not working at all for the following :
# AppEnforce.log (All Multiline Entries)
match => { "message" => '^\A<!\[LOG\[%{DATA:logtext}\]LOG]!\><time="%{TIME:time}(\+|\-)([0-9])?([0-9])?([0-9])?" date="%{DATE:date}" component="%{WORD:component}" context="" type="%{INT:type}" thread="%{INT:thread}" file="%{HOSTNAME:filename}:%{INT:fileline}">$' }
# Match 4 - General SCCM Multiline Entry
match => { "message" => '^\A<!\[LOG\[(?<multiline>[^\]]*)]LOG]!><time="%{TIME:time}(\+|\-)([0-9])?([0-9])?([0-9])?" date="%{DATE:date}" component="%{WORD:component}" context="" type="%{INT:type}" thread="%{INT:thread}" file="%{HOSTNAME:filename}:%{INT:fileline}">$'}
# Add Proper Date and Time
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_field => [ "logtime", "%{date} %{time}"]
}
date {
match => ["logtime", "MM-dd-YYYY HH:mm:ss.SSS"]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "L!ghtn1ng"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout {
codec => json
}
}