securityonion/salt/logstash/conf/pipelines/eval/1001_preprocess_syslogng.conf

# Updated by: Doug Burks and Wes Lambert
# Last Update: 10/30/2018

filter {
  if "syslogng" in [tags] {
	mutate {
		rename => { "MESSAGE" => "message" }
		rename => { "PROGRAM" => "type" }
		rename => { "FACILITY" => "syslog-facility" }
		rename => { "FILE_NAME" => "syslog-file_name" }
		rename => { "HOST" => "syslog-host" }
		rename => { "HOST_FROM" => "syslog-host_from" }
		rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" }
		rename => { "PID" => "syslog-pid" }
		rename => { "PRIORITY" => "syslog-priority" }
		rename => { "SOURCEIP" => "syslog-sourceip" }
		rename => { "TAGS" => "syslog-tags" }
		lowercase => [ "syslog-host_from" ]
		remove_field => [ "ISODATE" ]
		remove_field => [ "SEQNUM" ]
          	#add_tag => [ "conf_file_1001"]
	}
	if "bro_" in [type] {
		mutate {
			add_tag => [ "bro" ]
		}
	} else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] {
		mutate {
			add_tag => [ "syslog" ]
		}
	}
  }
}