pillar.example

---
logstash:
  java: openjdk-8-jre-headless
  use_upstream_repo: True
  repo:
      version: major or minor version number
      old_repo: False
  inputs:
    -
      plugin_name: file
      path:
        - /var/log/syslog
        - /var/log/auth.log
      type: syslog
  filters:
    -
      plugin_name: grok
      cond: 'if [type] == "syslog"'
      match:
        message: '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}'
      add_field:
        received_at: '%{@timestamp}'
        received_from: '%{host}'

    -
      plugin_name: 'mutate'
      cond: 'if [log][file][path] == "/var/log/nginx/admin_access.log"'
      add_field: 
        '"[@metadata][target_pipeline]"': 
        # double quotes required to address adding fields that reference data from other fields. One use case is the use of metadata fields, which is shown below
         "nginx.pipeline"
        '"[@metadata][target_index]"': 
         "acess-nginx"

    -
      plugin_name: grok
      cond: 'else if [type] == "nginx"'
      match:
        message: '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{URIPATHPARAM:request}(?: HTTP/%{NUMBER:httpversion})?|-)\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) \"(?:%{URI:referrer}|-)\" %{QS:agent}'
      add_field:
        received_at: '%{@timestamp}'
        received_from: '%{host}'
    -
      plugin_name: date
      match:
        - 'syslog_timestamp'
        - 'MMM  d HH:mm:ss'
        - 'MMM dd HH:mm:ss'        
    -
      plugin_name: mutate
      cond: 'if [type] == "syslog"'
      gsub:
        - "message"
        #extra escape charactor required to write from pillar to logstash config
        - "\\/"
        - "_"    
    -
      plugin_name: mutate
      cond: 'if [type] == "syslog"'
      remove_field:
        - starting
        - ending
    -
      plugin_name: mutate
      cond: 'if [type] == "syslog" and "apache" in [source]'
      add_field:
        user: "%{auth}"
      remove_field: ["auth"]
      
  outputs:
    -
      plugin_name: lumberjack
      hosts:
        - logs.example.com
      port: 5000
      ssl_certificate: /etc/ssl/certs/lumberjack.crt
    
    - 
      plugin_name: elasticsearch
      cond: 'if [@metadata][target_pipeline] and [@metadata][target_index]'
      pipeline: "%{[@metadata][target_pipeline]}"
      hosts: 
        - elasticsearch.example.com
      user: 
      password: 
      index: "%{[@metadata][target_index]}-%{+YYYY.MM.dd}"
      ssl: true
      ssl_certificate_verification: true