filter{

grok{
match => { "whole" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST
:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:
syslog_message}" }
}
date {
match => [ "syslog_timestamp", MMM d HH:mm:ss", "MMM dd HH:mm:ss
" ]
}
}
filter{
grok{
match => { "whole" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST
:syslog_host} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:
syslog_message}" }
}
date {
match => [ "syslog_timestamp", MMM d HH:mm:ss", "MMM dd HH:mm:ss
" ]
}
}
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:d
irection})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_inte
rface}:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_mapped_ip}/%{INT:src_mapped_port
}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_p
ort}( \(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%
{DATA:user}\))?
May 27 00:00:00 gprs-ct-asa01 %ASA-6-302014:
# ASA-6-302020_302021 inbound
CISCOFW302020_302021_1 %{CISCO_ACTION:action}(?: (?<direction>inbound))? %{WORD:
protocol} connection for faddr %{IP:src_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuse
r}\))? gaddr %{IP:dst_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:dst_ip}/%{IN
T:icmp_code}( \(%{DATA:user}\))?
# ASA-6-302020_302021 outbound
CISCOFW302020_302021_2 %{CISCO_ACTION:action}(?: (?<direction>outbound))? %{WORD
:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwus
er}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{I
NT:icmp_code}( \(%{DATA:user}\))?

================================================================================
=========================================
# ASA-6-302020_302021 inbound
CISCOFW302020_302021_1 %{CISCO_ACTION:action}(?: (?<direction>inbound))? %{WORD:
protocol} connection for faddr %{IP:src_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuse
r}\))? gaddr %{IP:dst_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:dst_ip}/%{IN
T:icmp_code}( \(%{DATA:user}\))?
# ASA-6-302020_302021 outbound
CISCOFW302020_302021_2 %{CISCO_ACTION:action}(?: (?<direction>outbound))? %{WORD
:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwus
er}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{I
NT:icmp_code}( \(%{DATA:user}\))?

# ASA-2-106001 inbound
CISCOFW106001_1 (?<direction>Inbound) %{WORD:protocol} connection %{CISCO_ACTION
:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags
%{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
# ASA-2-106001 outbound
CISCOFW106001_2 (?<direction>Outbound) %{WORD:protocol} connection %{CISCO_ACTIO
N:action} from %{IP:dst_ip}/%{INT:dst_port} to %{IP:src_ip}/%{INT:src_port} flag
s %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}
# ASA-2-106006, ASA-2-106007 inbound
CISCOFW106006_106007_1 %{CISCO_ACTION:action} (?<direction>inbound) %{WORD:proto
col} from %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? to %{IP:dst_ip}/
%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface %{DATA:interface}|due t
o %{CISCO_REASON:reason})
# ASA-2-106006, ASA-2-106007 outbound
CISCOFW106006_106007_2 %{CISCO_ACTION:action} (?<direction>outbound) %{WORD:prot
ocol} from %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? to %{IP:src_ip}
/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:on interface %{DATA:interface}|due
to %{CISCO_REASON:reason})
# ASA-2-106010
CISCOFW106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protoco
l} src %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? dst %{IP:dst_ip}/%{
INT:dst_port}(\(%{DATA:dst_fwuser}\))?
# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 inbound
CISCOFW302013_302014_302015_302016_1 %{CISCO_ACTION:action}(?: (?<direction>inbo
und))? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface
}:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_xlated_ip}/%{INT:src_xlated_port}\))?
(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
\(%{IP:dst_xlated_ip}/%{INT:dst_xlated_port}\))?(\(%{DATA:dst_fwuser}\))?( dura
tion %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DATA
:user}\))?
# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 outbound
CISCOFW302013_302014_302015_302016_2 %{CISCO_ACTION:action}(?: (?<direction>outb
ound))? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:dst_interfac
e}:%{IP:dst_ip}/%{INT:dst_port}( \(%{IP:dst_xlated_ip}/%{INT:dst_xlated_port}\))
?(\(%{DATA:dst_fwuser}\))? to %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}
( \(%{IP:src_xlated_ip}/%{INT:src_xlated_port}\))?(\(%{DATA:src_fwuser}\))?( dur
ation %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DAT
A:user}\))?
# ASA-6-602303, ASA-6-602304 inbound
CISCOFW602303_602304_1 %{WORD:protocol}: An (?<direction>inbound) %{GREEDYDATA:t
unnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user
= %{DATA:user}\) has been %{CISCO_ACTION:action}
# ASA-6-602303, ASA-6-602304 outbound
CISCOFW602303_602304_2 %{WORD:protocol}: An (?<direction>outbound) %{GREEDYDATA:
tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:dst_ip} and %{IP:dst_ip} \(use
r= %{DATA:user}\) has been %{CISCO_ACTION:action}
================================================================================
====================================================

mkdir -p logstash/filters/
cd logstash/filters
# Call this file 'foo.rb' (in logstash/filters, as above)

require "logstash/filters/base"
require "logstash/namespace"
class LogStash::Filters::Foo < LogStash::Filters::Base
# Setting the config_name here is required. This is how you
# configure this filter from your logstash config.
#
# filter {
# foo { ... }
# }
config_name "foo"
# New plugins should start life at milestone 1.
milestone 1
# Replace the message with this value.
config :message, :validate => :string
public
def register
# nothing to do
end # def register
public
def filter(event)
# return nothing unless there's an actual filter event
return unless filter?(event)
if @message
# Replace the event message with our message as configured in the
# config file.
event["message"] = @message
end
# filter_matched should go in the last line of our successful code
filter_matched(event)
end # def filter
end # class LogStash::Filters::Foo
#example.conf
input {
stdin { type => "foo" }
}
filter {
if [type] == "foo" {
foo {
message => "Hello world!"
}
}
}
output {
stdout { }
}

You can use the agent flag --pluginpath flag to specify where the root of your p
lugin tree is. In our case, it's the current directory.
% bin/logstash --pluginpath your/plugin/root -f example.conf

% bin/logstash -f example.conf
the quick brown fox
2011-05-12T01:05:09.495000Z stdin://snack.home/: Hello world!
The output is the standard logstash stdout output, but in this case our "the qui
ck brown fox" message was replaced with "Hello world!"
All done! :)