# Copyright © 2008-2016 Parallels International GmbH. All rights reserved. input { beats { client_inactivity_timeout => 1200 ssl => false host => "0.0.0.0" port => 5044 } gelf { host => "0.0.0.0" port => 12201 } http { ssl => false host => "0.0.0.0" port => 8888 } tcp { mode => "server" host => "0.0.0.0" port => 5010 } udp { host => "0.0.0.0" port => 5000 } } #[W 06/0000000D/T000005EC] Thu Aug 24 05:44:10 2017 - Logon failed user 'admin' domain 'testras' client IP '10.225.2.187' gateway IP '10.25.1.51' [31 15 16 0] (The user name or password is incorrect. [0x0000052e]) # filter { grok { match => [ "message", "\[(?[C|E|W|I|T|D]) (?[a-fA-F0-9]{2})/(?[a-fA-F0-9]{8})/(?[Ta-fA-F0-9]{9})\] %{DAY}[ ]+(?%{MONTH}[ ]+%{MONTHDAY}[ ]+%{TIME}[ ]+%{YEAR}[ ])+-[ ]+%{GREEDYDATA:RAS_MessageText}", "message", "%{GREEDYDATA:RAS_MessageText}" ] } date { match => [ "RAS_LogTimestamp", "MMM d HH:mm:ss YYYY ", "MMM dd HH:mm:ss YYYY " ] # timezone => "UTC" target => "@timestamp" remove_field => ["RAS_LogTimestamp"] } translate { field => "RAS_ModuleCode" destination => "RAS_Module" dictionary => [ "FF","NONE", "00","GENERIC", "01","LAUNCHER", "02","CLIENT", "03","CONSOLE", "04","TSAGENT", "05","CLIENTGW", "06","PUBAGENT", "07","REDUNDANCY", "08","PRINTING", "09","SHELL", "0A","WEBSERVICE", "0B","VDIMANAGER", "0C","VDIPROVIDER", "0D","WEBPORTAL", "0E","NEWAUTH", "0F","TWAIN", "10","ASYNC_CHANNEL", "11","SSO", "12","USBWRITER", "13","CONMANAGER", "14","WISEBROKER", "15","GUESTAGENT", "16","SERVERSETUPCA", "17","WEBSETUPCA", "18","CLIENTSETUPCA", "19","PCAGENT", "1A","ANDROID_CLIENT", "1B","RDP_LIBRARY", "1C","VID", "1D","WINPHONE", "1E","GENERICSETUP", "1F","CS_GENERIC", "20","CLIENTHB", "21","BASICCLIENTINST", "22","PHPEXTENSION", "23","TUXRDPCLIENT", "24","ASREPORTING", "25","ASREPORTING_ENGINE", "26","ASREPORTING_CONSOLE", "27","ASREPORTING_CA", "28","VCHANNELS", "29","HTML5GW", "2A","CLIENT_SERVICE", "2B","SCARDREDIRECTOR", "2C","SCARDHOOKER", "2D","SCARDAUTH_CLIENT", "2E","SCARDAUTH_SERVER", "2F","SCARDCREDPROV", "30","WIA", "31","HALBAGENT", "32","DRIVE", "33","REMOTEAPPS", "34","WEBRDP", "35","UDAGENT", "36","HTML5_NEWAUTH", "37","HTML5_WEBSERVER", "38","CLIENTSEAMLESS", "40","PSAGENT", "50","SHELLHOOK", "51","RASSHIM", "52","UDINST", "53","PSINTERFACE", "54","SYNCLAYER", "55","NOTIF_DISPATCHER", "56","LICENSING", "57","DEVSCHEDULER", "58","TSSCHEDULER", "59","QKP_REGINTERFACE", "60","USBPROXY", "61","USBTHREAD", "62","MTPPROXY", "63","DYNAMTP" ] } } filter { if "controller.log" in [source] { mutate { add_field => { "RAS_LogSource" => "controller.log"} } } else if "shell.log" in [source] { mutate { add_field => { "RAS_LogSource" => "shell.log"} } } else if "redundancy.log" in [source] { mutate { add_field => { "RAS_LogSource" => "redundancy.log"} } } else if "VDSAgent.log" in [source] { mutate { add_field => { "RAS_LogSource" => "VDSAgent.log"} } } else if "notifdispatch.log" in [source] { mutate { add_field => { "RAS_LogSource" => "notifdispatch.log" } } } else if "gateway.log" in [source] { mutate { add_field => { "RAS_LogSource" => "gateway.log" } } } else if "tsagent.log" in [source] { mutate { add_field => { "RAS_LogSource" => "tsagent.log" } } } else if "tsscheduler.log" in [source] { mutate { add_field => { "RAS_LogSource" => "tsscheduler.log" } } } else if "devredir.log" in [source] { mutate { add_field => { "RAS_LogSource" => "devredir.log" } } } else if "console.log" in [source] { mutate { add_field => { "RAS_LogSource" => "console.log" } } } else if "RASMsi.log" in [source] { mutate { add_field => { "RAS_LogSource" => "RASMsi.log" } } } else if "vdiagent.log" in [source] { mutate { add_field => { "RAS_LogSource" => "vdiagent.log" } } } else if "setupca.log" in [source] { mutate { add_field => { "RAS_LogSource" => "setupca.log" } } } else if "guestagent.log" in [source] { mutate { add_field => { "RAS_LogSource" => "guestagent.log" } } } else if "univinst.log" in [source] { mutate { add_field => { "RAS_LogSource" => "univinst.log" } } } else if "scardhooker.log" in [source] { mutate { add_field => { "RAS_LogSource" => "scardhooker.log" } } } else if "univprn.log" in [source] { mutate { add_field => { "RAS_LogSource" => "univprn.log" } } } else if "univtwain.log" in [source] { mutate { add_field => { "RAS_LogSource" => "univtwain.log" } } } else if "devscheduler.log" in [source] { mutate { add_field => { "RAS_LogSource" => "devscheduler.log" } } } else if "licensing.log" in [source] { mutate { add_field => { "RAS_LogSource" => "licensing.log" } } } else if "HTML5GW" in [source] { mutate { add_field => { "RAS_LogSource" => "HTML5GW.log" } } } } output { elasticsearch { hosts => ["127.0.0.1:9200"] manage_template => false index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" # document_type => "%{[@metadata][type]}" } }