# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
#
# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
filter {
  # This is an example of using an IP address range to classify a syslog message to a specific type of log
  # This is helpful as so many devices only send logs via syslog
  if [host] =~ "10\.[0-1]\.9\." {
    mutate {
      replace => ["type", "esxi"]
    }
  }
  if [host] =~ "\.234$" {
    mutate {
      replace => ["type", "esxi"]
    }
  }
  if [type] == "esxi" {
     grok {
          match => { "message" => "(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))"}

#      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
    }
	mutate {
		#add_tag => [ "conf_file_1029"]
	}
  }
}