From 68c4233e3346940858ed5ae2e793c4de88d4f766 Mon Sep 17 00:00:00 2001
From: Pablo Castorino <castorinop@gmail.com>
Date: Thu, 29 Sep 2016 16:14:51 -0300
Subject: [PATCH] refactor syslog filter

---
 elk/10-syslog.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/elk/10-syslog.conf b/elk/10-syslog.conf
index 335100cc..ae03326a 100644
--- a/elk/10-syslog.conf
+++ b/elk/10-syslog.conf
@@ -1,14 +1,14 @@
 filter {
-  if [type] == "syslog" {
     grok {
-      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
+      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
       add_field => [ "received_at", "%{@timestamp}" ]
       add_field => [ "received_from", "%{host}" ]
+      add_field => [ "program", "%{syslog_program}" ]
     }
     syslog_pri { }
     date {
-      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
-  }
 }
 
+