input { file { path => ["/mnt/**/*.log"] start_position => "beginning" sincedb_path => "/dev/null" } } filter { grok { match => { "message" => [ "\A\[%{TIMESTAMP_ISO8601:date}\]%{SPACE}-\!-%{SPACE}%{GREEDYDATA:channelevent}$", "\A\[%{TIMESTAMP_ISO8601:date}\]%{SPACE}<(?[@ +])(?[^> ]*)\>%{SPACE}%{GREEDYDATA:privmsg}$", "\A\[%{TIMESTAMP_ISO8601:date}\]%{SPACE}%{SPACE}\*%{SPACE}(?[^ ]*)%{SPACE}%{GREEDYDATA:actionmessage}$", "\A--- (?Day changed)%{SPACE}(?%{DAY}%{SPACE}%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{YEAR})", "\A--- (?Log closed|Log opened)%{SPACE}(?%{DAY}%{SPACE}%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{YEAR})" ] } } grok { match => { "path" => "/mnt/(?.*)/(?.*)\.log" } } date { match => ["date", "yyyy-MM-dd HH:mm:ss", "EEE MMM dd yyyy", "EEE MMM dd HH':'mm':'ss yyyy"] } } output { stdout { codec => rubydebug } elasticsearch { hosts => ["elasticsearch"] index => "irclogs" } }