Going to its roots, Logstash has the ability to parse and store syslog data. This example shows a basic configuration that gets you to that.
input {
file {
path => [
"/var/log/syslog",
"/var/log/auth.log"
]
type => "syslog"
}
}
filter {
if [type] == "syslog" {
# Uses built-in Grok patterns to parse this standard format
grok {
match => {
"message" => "%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:SYSLOGMESSAGE}"
}
}
# Sets the timestamp of the event to the timestamp of recorded in the log-data
# By default, logstash sets the timestamp to the time it was ingested.
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
# Outputs processed events to an elasticsearch instance local to the box.
elasticsearch {
hosts => [
"localhost"
]
}
}