Logstash/example.conf

input {
  tcp {
    port => 5140
    type => syslog
  }
  udp {
    port => 5140
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA}(?:\[%{POSINT}\])?: LOGIN: USER: %{USERNAME:user}, HOSTNAME: %{IPORHOST:hostname}, FROM: %{IPORHOST:from_host}, FINGERPRINT: %{NOTSPACE:fingerprint}, SSH_USER: %{NOTSPACE:ssh_user}:" }
      add_tag   => [ "%{user}", "login_event" ]
      tag_on_failure => []
    }

    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA}(?:\[%{POSINT}\])?: BASHLOG: USER: %{USERNAME:user}, HOSTNAME: %{IPORHOST:hostname}, FINGERPRINT: %{NOTSPACE:fingerprint}, SSH_USER: %{NOTSPACE:ssh_user}, CMD: %{GREEDYDATA:command}" }
      add_tag   => [ "bashlog", "%{user}" ]
      tag_on_failure => []
    }

    syslog_pri { }

    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  if [type] == "syslog" {
    if "_grokparsefailure" not in [tags] {
      elasticsearch { 
        host => localhost
      }
    }

    if "_grokparsefailure" in [tags] {
      file {
        path => '/var/log/logstash/grokfailures.log'
      }
    }
  }
}