logstash-syslog.conf

input {
    file {
        path => "/var/log/syslog"
        start_position => beginning
        type => "syslog"
    }
}
filter {
    if [type] == "syslog" {
        grok {
            match => {
                "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message} %{IPV4:SrcIP}(:%{INT:SrcPort})? -> %{IPV4:DstIP}(:%{INT:DstPort})?"
            }
        }
        grok {
            match => {
                "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message} %{IPV6:SrcIPv6}(:%{INT:SrcPort})? -> %{IPV6:DstIPv6}(:%{INT:DstPort})?"
            }
        }
        grok {
            match => {
                "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{MONTHDAY:monthday}\-%{MONTH:month}\-%{YEAR:year} %{TIME:q_time} %{WORD:queries}\: %{WORD:info}\: %{WORD:client} \@%{WORD:id_word} %{IP:clientip}\#%{NUMBER:port} \(%{USERNAME:domain}\)\: %{WORD:view} %{WORD:external}\: %{WORD:query}\: %{USERNAME:domain_02} %{WORD:in} %{WORD:any} %{GREEDYDATA:lank} \(%{IP:ip_add}\)"
            }
        }
        grok {
            match => {
                "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"
            }
        }
        geoip {
            source => "[SrcIP]"
            target => "SrcGro"
        }
        geoip {
            source => "[DstIP]"
            target => "DstGro"
        }
        geoip {
            source => "[SrcIPv6]"
            target => "SrcGroIPv6"
        }
        geoip {
            source => "[DstIPv6]"
            target => "DstGroIPv6"
        }
        geoip {
            source => "[clientip]"
            target => "ClientIP"
        }
        date {
            match => ["syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]
            target => "@timestamp"
            add_tag => ["tmatch"]
        }
    }
}
output {
    elasticsearch {
        hosts => ["http://localhost:9200"]
        index => "index-syslog"
    }
    stdout {}
}