filter.conf

# TAG the input as you like
input {
	syslog {
		port => "5146"
		type => "syslog"
		tags => "pfsense"
	}
}




filter {
	if "pfsense" in [tags] {
		if [program] =~ /^filterlog$/ {
			mutate {
				add_tag => [ "packetfilter" ]
			}
			grok {
  				  match => [ "message", "%{PFSENSE_LINE}" ]
				  patterns_dir   => "/etc/logstash/patterns.d"
		                  tag_on_failure => [ "_grok_filterlog_nomatch" ]
		                  add_tag        => [ "_grok_filterlog_success" ]	
			}
		} else if [program] =~ /^openvpn$/ {
			mutate {
				add_tag => [ "openvpn" ]
			}
			grok {
  				  match => [ "message", "%{PF_OVPN}" ]
				  patterns_dir   => "/etc/logstash/patterns.d"
		                  tag_on_failure => [ "_grok_ovpn_nomatch" ]
		                  add_tag        => [ "_grok_ovpn_success" ]	
			}
		} else if [program] =~ /^dhcpd$/ {
			mutate {
				add_tag => [ "dhcpd" ]
			}
			grok {
  				  match => [ "message", "%{PFSENSE_DHCPD}" ]
				  patterns_dir   => "/etc/logstash/patterns.d"
		                  tag_on_failure => [ "_grok_dhcpd_nomatch" ]
		                  add_tag        => [ "_grok_dhcpd_success" ]	
			}
		}
	}
}

filter {
  if [source_ip] {
    geoip {
      source => "source_ip"
      target => "source_ip_geoip"
      database => "/opt/geoip/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
  if [dest_ip] {
    geoip {
      source => "dest_ip"
      target => "dest_ip_geoip"
      database => "/opt/geoip/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
}