start rules for "process" logs

helps with #17

filter-50-process.conf

@@ -0,0 +1,16 @@
+filter {
+  if [icinga][facility] == "Process" {
+    if [message] =~ /PID/ {
+      grok {
+        match => ["message","PID %{POSINT:[icinga][pid]} was terminated by signal %{POSINT:[icinga][signal][code]} \({%{WORD:[icinga][signal][detail]}\)"]
+        id => "icinga_process_pidterminated"
+        add_tag => "icinga_process_pidterminated"
+        tag_on_failure => ["_grokparsefailure","icinga_process_pidterminated_failed"]
+        add_field => {
+          "[icinga][eventtype]" => "process_pidterminated"
+        }
+      }
+    }
+  }
+}
+