securityonion/salt/logstash/files/conf.d/1001_preprocess_syslogng.conf

# Updated by: Doug Burks
# Last Update: 5/15/2017

filter {
  if "syslogng" in [tags] {
	mutate {
		rename => { "MESSAGE" => "message" }
		rename => { "PROGRAM" => "type" }
		rename => { "FACILITY" => "syslog-facility" }
		rename => { "FILE_NAME" => "syslog-file_name" }
		rename => { "HOST" => "syslog-host" }
		rename => { "HOST_FROM" => "syslog-host_from" }
		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
		rename => { "PID" => "syslog-pid" }
		rename => { "PRIORITY" => "syslog-priority" }
		rename => { "SOURCEIP" => "syslog-sourceip" }
		rename => { "TAGS" => "syslog-tags" }
          	#add_tag => [ "conf_file_1000"]
	}
	if "bro_" in [type] {
		mutate {
			add_tag => [ "bro"]
		}
	} else {
		mutate {
			add_tag => [ "syslog"]
		}
	}
  }
}