esxi.conf

# This configuration file takes ESXi syslog messages and filters them.  There is no input as the logs would have came in via syslog
filter {
  # This is an example of using an IP address range to classify a syslog message to a specific type of log
  # This is helpful as so many devices only send logs via syslog
  if [host] =~ "10\.[0-1]\.9\." {
    mutate {
      replace => ["type", "esxi"]
    }
  }
  if [host] =~ "\.234$" {
    mutate {
      replace => ["type", "esxi"]
    }
  }
  if [type] == "esxi" {
    grok {
      pattern => ['(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGHOST:logsource}) (?:%{SYSLOGPROG}): (?<messagebody>(?:\[(?<esxi_thread_id>[0-9A-Z]{8,8}) %{DATA:esxi_loglevel} \'%{DATA:esxi_service}\'\] %{GREEDYDATA:esxi_message}|%{GREEDYDATA}))']
    }
  }
}

output {
  if [type] == "esxi" {
    elasticsearch {
    }
  }
}