1+ <?xml version =" 1.0" encoding =" utf-8"
2+ <databaseChangeLog
3+ xmlns =" http://www.liquibase.org/xml/ns/dbchangelog"
4+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
5+ xsi : schemaLocation =" http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd"
6+
7+ <changeSet id =" 20260216001" author =" Manuel"
8+
9+ <sql dbms =" postgresql" splitStatements =" true" stripComments =" true"
10+ <![CDATA[
11+
12+ UPDATE public.utm_logstash_filter
13+ SET filter_version='3.0.2',
14+ updated_at = now(),
15+ logstash_filter = $$# VMWare-ESXi, version 3.0.2
16+ #
17+ # Based on docs and real logs provided
18+ # Support VMWare-ESXi log
19+ #
20+ # Documentations
21+ # 1- https://core.vmware.com/esxi-log-message-formats
22+ #
23+ # Implementation
24+ # 1. Parsing headers of syslog the message
25+ # 2. Parsing the RAW field containing the VMWare-ESXi
26+ pipeline:
27+ - dataTypes:
28+ - vmware-esxi
29+ steps:
30+ - grok:
31+ patterns:
32+ - fieldName: log.priority
33+ pattern: '\<{{.data}}\>'
34+ - fieldName: log.deviceTime
35+ pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)'
36+ - fieldName: origin.hostname
37+ pattern: '{{.hostname}}'
38+ - fieldName: log.process
39+ pattern: '{{.hostname}}(\:)'
40+ - fieldName: severity
41+ pattern: '{{.word}}'
42+ - fieldName: log.processName
43+ pattern: '{{.hostname}}'
44+ - fieldName: log.pid
45+ pattern: '\[{{.data}}\]'
46+ - fieldName: log.eventInfo
47+ pattern: '\[{{.data}}\]'
48+ - fieldName: log.message
49+ pattern: '{{.greedy}}'
50+
51+ - grok:
52+ patterns:
53+ - fieldName: log.priority
54+ pattern: '\<{{.data}}\>'
55+ - fieldName: log.deviceTime
56+ pattern: '{{.year}}(-){{.monthNumber}}(-){{.monthDay}}(T){{.time}}(Z)'
57+ - fieldName: origin.hostname
58+ pattern: '{{.hostname}}'
59+ - fieldName: log.process
60+ pattern: '{{.hostname}}'
61+ - fieldName: log.pid
62+ pattern: '\[{{.data}}\]:'
63+ - fieldName: log.message
64+ pattern: '{{.greedy}}'
65+
66+ - grok:
67+ patterns:
68+ - fieldName: log.priority
69+ pattern: '\<{{.data}}\>'
70+ - fieldName: log.deviceTime
71+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}T{{.time}}Z'
72+ - fieldName: origin.hostname
73+ pattern: '{{.hostname}}'
74+ - fieldName: log.process
75+ pattern: '{{.hostname}}'
76+ - fieldName: log.pid
77+ pattern: '\[{{.data}}\]:'
78+ - fieldName: log.originIdComponent
79+ pattern: '\[{{.data}}\]'
80+ - fieldName: log.message
81+ pattern: '{{.greedy}}'
82+
83+ - grok:
84+ patterns:
85+ - fieldName: log.moduleIdentifier
86+ pattern: '\[{{.data}}\@'
87+ - fieldName: log.irrelevant
88+ pattern: '{{.data}}\='
89+ - fieldName: log.subModuleIdentifier
90+ pattern: '{{.word}}\]'
91+ source: log.originIdComponent
92+
93+ - grok:
94+ patterns:
95+ - fieldName: log.irrelevant2
96+ pattern: '{{.data}}level{{.space}}='
97+ - fieldName: log.level
98+ pattern: '{{.integer}}'
99+ source: log.message
100+
101+ # Removing unused caracters
102+ - trim:
103+ function: prefix
104+ substring: '<'
105+ fields:
106+ - log.priority
107+ - trim:
108+ function: prefix
109+ substring: '['
110+ fields:
111+ - log.pid
112+ - log.eventInfo
113+ - log.moduleIdentifier
114+ - trim:
115+ function: prefix
116+ substring: '-'
117+ fields:
118+ - log.message
119+ - trim:
120+ function: suffix
121+ substring: '>'
122+ fields:
123+ - log.priority
124+ - trim:
125+ function: suffix
126+ substring: ':'
127+ fields:
128+ - log.pid
129+ - log.process
130+ - trim:
131+ function: suffix
132+ substring: ']'
133+ fields:
134+ - log.pid
135+ - log.eventInfo
136+ - log.subModuleIdentifier
137+ - trim:
138+ function: suffix
139+ substring: '-'
140+ fields:
141+ - log.message
142+ - trim:
143+ function: suffix
144+ substring: '@'
145+ fields:
146+ - log.moduleIdentifier
147+
148+ # Removing unused fields
149+ - delete:
150+ fields:
151+ - log.processName
152+ - log.irrelevant$$
153+ WHERE id = 1001;
154+ ]]>
155+ </sql >
156+ </changeSet >
157+ </databaseChangeLog >
0 commit comments