securityonion/salt/logstash/pipelines/config/so/6101_switch_brocade.conf

# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016

filter {
  if [type] == "brocade" {
    grok {
      match => ["message", "<%{DATA}>%{GREEDYDATA:sys_message}"]
    }
    grok {
      match => { "sys_message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid:int}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
    }
    if [syslog_message] =~ "Interface ethernet" or [syslog_program] == "PORT" {
      grok {
        match => { "syslog_message" => "%{DATA}%{INT:unit}\/%{INT:interface_type}\/%{INT:interface:int}" }
      }
      mutate {
        add_field => { "interface_port" => "%{unit}/%{interface_type}/%{interface}" }
      }
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      timezone => "America/Chicago"
      remove_field => "syslog_timestamp"
      remove_field => "received_at"
    }
	mutate {
		#add_tag => [ "conf_file_6101"]
	}
  }
}