greensql.conf

# Author: Justin Henderson
# Email: jhenderson@tekrefresh.comes
# Last Update: 11/18/2015
#
# This configuration file is for parsing out GreenSQL data.  There is no input as the log should come in as syslog
filter {
  if [type] == "greensql" {
    # This section is parsing out the fields for GreenSQL syslog data
    grok {
      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\s*Database=%{DATA:Database}\sUser=%{DATA:UserName}\sApplication Name=%{DATA:Application}\sSource IP=%{IPV4:SrcIp}\sSource Port=%{INT:SrcPort}\sTarget IP=?%{IPV4:DstIp}\sTarget Port=%{DATA:DstPort}\sQuery=%{GREEDYDATA:Query}"}
      match => { "message" => "<%{INT:Code}>%{DATA:Category}\[%{INT:Transcation}\]:\sAdmin_Name=%{DATA:UserName}\sIP_Address=%{IPV4:SrcIp}\sUser_Agent=%{DATA:UserAgent}\sMessage=%{DATA:StatusMessage}\sDescription=%{DATA:Description}\sSeverity=%{GREEDYDATA:Severity}"}
    }
	# Remove the message field as it is unnecessary
    mutate {
      remove_field => [ "message"]
    }
  }
}

output {
  if [type] == "greensql" {
    elasticsearch {
    }
  }
}