input {
        udp {
                port => 10514
                tags => ["cisco-asa"]
        }
}

filter {
    if "cisco-asa" in [tags] {
        grok {
            patterns_dir => ["/etc/logstash/patterns"]
            match => [
                    "message", "%{ESGCISCOFWUNKNOWN}"
            ]
           
        }
        grok {
            patterns_dir => ["/etc/logstash/patterns"]
            match => [
                    "log_msg", "%{ESGCISCOFW106001}",
                    "log_msg", "%{ESGCISCOFW106006_106007_106010}",
                    "log_msg", "%{ESGCISCOFW106014}",
                    "log_msg", "%{ESGCISCOFW106015}",
                    "log_msg", "%{ESGCISCOFW106021}",
                    "log_msg", "%{ESGCISCOFW106023}",
                    "log_msg", "%{ESGCISCOFW106100}",
                    "log_msg", "%{ESGCISCOFW110002}",
                    "log_msg", "%{ESGCISCOFW302010}",
                    "log_msg", "%{ESGCISCOFW302013_302014_302015_302016}",
                    "log_msg", "%{ESGCISCOFW302020_302021}",
                    "log_msg", "%{ESGCISCOFW305011}",
                    "log_msg", "%{ESGCISCOFW313001_313004_313008}",
                    "log_msg", "%{ESGCISCOFW402117}",
                    "log_msg", "%{ESGCISCOFW402119}",
                    "log_msg", "%{ESGCISCOFW419001}",
                    "log_msg", "%{ESGCISCOFW419002}",
                    "log_msg", "%{ESGCISCOFW500004}",
                    "log_msg", "%{ESGCISCOFW602303_602304}",
                    "log_msg", "%{ESGCISCOFW710001_710002_710003_710005_710006}",
                    "log_msg", "%{ESGCISCOFW713172}",
                    "log_msg", "%{ESGCISCOFW722051}",
                    "log_msg", "%{ESGCISCOFW722037}",
                    "log_msg", "%{ESGCISCOFW113019}",
                    "log_msg", "%{ESGCISCOFW7500_03_12}",
                    "log_msg", "%{ESGCISCOFW113005}",
                    "log_msg", "%{ESGCISCOFW733100}"
            ]
        
        
        }
        

        # Parse the syslog severity and facility
        syslog_pri { }
        geoip {
            source => "src_ip"
            target => "geoip"  
            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]                
            add_field => [ "[geoip][geohash]", "%{[geoip][coordinates]}" ]
        }
        mutate {
            remove_field => [ "message" ]
            gsub => ["event-code","4-106023","Reject"]
            gsub => ["event-code","4-419002","Duplicate TCP SYN"]
            gsub => ["event-code","3-710003","Reject"]
            gsub => ["event-code","2-106001","Reject"]
            gsub => ["event-code","4-313005","ICMP Reject"]
            gsub => ["event-code","3-313001","ICMP Reject"]
            gsub => ["event-code","3-210007","LU allocate xlate failed"]
            gsub => ["event-code","2-106017","Land Atack"]
            gsub => ["event-code","4-722051","Remconn address assigned"]
            gsub => ["event-code","4-113019","Remconn session disconnected"]
            gsub => ["event-code","4-722037","Remconn closing connection"]
            gsub => ["event-code","4-722041","Remconn IPv6 not available"]
            gsub => ["event-code","3-713194","IKE delete"]
            gsub => ["event-code","4-750003","IKEv2 Error"]
            gsub => ["event-code","4-750012","IKEv2 Error"]
            gsub => ["event-code","4-405001","ARP collision"]
            gsub => ["event-code","4-113005","AAA user authentication Rejected"]
        }
    }
}

output {
  if "cisco-asa" in [tags] {
    #stdout { codec => rubydebug }
    elasticsearch {        
         hosts => ["127.0.0.1:9200"]
         index => "cisco-asa-%{+YYYY.MM.dd}"
         document_type => "cisco-asa"
         template => "/etc/logstash/templates/elastic-cisco-asa-template.json"
         template_name => "cisco-asa"
         template_overwrite => true
    }
  }
}