input {
  # tcp {
  #   port => 5000
  #   type => syslog
  # }
  # udp {
  #   port => 5000
  #   type => syslog
  # }
    file{
        type => syslog
        path => "/config/data.csv"
        start_position => "beginning"
    }
}
filter {
    if [type] == "syslog" {
        syslog_pri{}
        grok {
            match => { "message" => [
                "%{SYSLOGTIMESTAMP:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} |)%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}",
                "%{SYSLOGTIMESTAMP:syslog_timestamp} (%{SYSLOGHOST:syslog_hostname} |)%{GREEDYDATA:syslog_message}"
                ]
             }
            add_field => [ "received_at", "%{@timestamp}" ]
            add_field => [ "received_from", "%{host}" ]
        }
        date {
            match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
        mutate {
    	      # replace => [ "message", "%{syslog_message}" ]
    	      rename => [ "syslog_message", "message" ]
    	}
    }
    if [syslog_program] == "mwg"{
        kv{
            field_split => "|"
            transform_key => "lowercase"
            trim_value => '"'
            target => "mwg"
            add_tag => "mwg"
            remove_field => "message"
            include_keys => [
            "devtime",
            "referer",
            "httpmethod",
            "bytes",
            "mediatype",
            "useragent",
            "blockreason",
            "url",
            "dst",
            "httpstatus",
            "src",
            "urlcategories",
            "usrname"
            ]
        }
        mutate{
            convert => { "mwg[bytes]" => "integer" }
        }
        date{
            match => ["mwg[devtime]" , "UNIX_MS"]
            # target => "mwg[timestamp]"
        }
        useragent {
            source => "mwg[useragent]"
            target => "mwg[ua]"
        }
        geoip {
            source => "mwg[dst]"
        }

        grok {
          match => { "mwg[url]" => "%{URIPROTO:mwg[parsedurl][protocol]}://(?<mwg[parsedurl][host]>[^/]+)(/(?<mwg[parsedurl][path]>[^?]+)(\?%{GREEDYDATA:mwg[parsedurl][parameters]})?)?" }
        }
        grok {
        match => { "mwg[parsedurl][host]" => "((?<mwg[parsedurl][subdomain]>[^/]+)\.)?(?<mwg[parsedurl][domain]>[^/.]+)\.(?<mwg[parsedurl][tld]>[^/.]+)" }
        }

        grok {
          match => { "mwg[parsedurl][parameters]" => "q=(?<mwg[parsedurl][querystring]>[^&]+)" }
          add_tag => "querystring"
          tag_on_failure => "no_querystring"
        }
        urldecode {
          field => "mwg[parsedurl][querystring]"
          add_tag => "urldecoded_querystring"
        }
        urldecode {
          field => "mwg[parsedurl][parameters]"
          add_tag => "urldecoded_parameters"
        }

	# parsing von allen url parameter macht probleme weil zu viele
        # kv {
        #         source => "mwg[parsedurl][parameters]"
        #         field_split => "&"
        #         target => "mwg[parsedurl][parsedparameters]"
        # }


    }
}
output {
 elasticsearch {
   hosts => ["elasticsearch:9200"]
   index => "logstash-testindex"
 }
  stdout { codec => rubydebug }
}