14-iptables-filter.conf

filter {
  # IPTABLES
  if "iptables" in [tags] {
    mutate {
      add_tag              => [ "in_14" ]
    }
    grok {
      break_on_match => false

      match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{DATA:program}: %{GREEDYDATA:content}" }

      match => { "content" => "IPT:IN=%{DATA:ipt_in} OUT=%{DATA:ipt_out} MAC=%{DATA:mac} SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{POSINT:length} %{DATA} PROTO=%{WORD:proto} SPT=%{POSINT:src_pt} DPT=%{POSINT:dst_pt} WINDOW=%{POSINT:window_size}%{GREEDYDATA}" }

      add_tag              => [ "iptables_processed" ]
      tag_on_failure       => ["_gpf_iptables" ]
    }
  }
    
  if "iptables_processed" in [tags] {
    mutate {
     replace               => { message => "%{content}" }
     remove_field          => [ "content" ]
     convert               => { "src_pt" => "integer" }
     convert               => { "dst_pt" => "integer" }
     convert               => { "window_size" => "integer" }
    }
    date {
      # 2016-08-10 01:45:53.835
      # 2016-08-13T17:00:47.532187+00:00
      # 2016-08-13T17:03:06.073437+00:00
                                            # 2016-08-13 T 17:04:48.230931+00:00
                                            # 2016-08-13 T 17:18:08.598193+00:00
      match                => [ "timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ" ]
      add_tag              => [ "iptables_date_match" ]
      tag_on_failure       => [ "iptables_date_fail" ]
    }
    metrics {
      meter                => [ "iptables_total" ]
      add_tag              => [ "metric" ]
      clear_interval       => 3600 # This needs to be multiples of 5
    }
  }
}