dosomething-elasticsearch.conf

input {
  tcp { 
    type => "syslog"
    port => 3333
  }
}

filter {
  if [type] == "syslog" {
    grok {
      # See the following URL for a complete list of named patterns
      # logstash/grok ships with by default:
      # https://github.com/logstash/logstash/tree/master/patterns
      #
      # The grok filter will use the below pattern and on successful match use
      # any captured values as new fields in the event.

      # original patter with help from Mike
      # match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}(?<hostname>(.*?)\:)(?<referer>(.*?)\|)(?<timestamp>\d+\|)(?<module>\w+\|)(?<ipaddress>[0-9\.]+\|)(?<url>[^\|]+\|)\|(?<n>\d+\|)\|(?<error>(.*))" }
     
      # removes  pipes from fields and removes unnecessary fields additionally referer field and " dosomething:" string after server name and handles spaces in the module field
      match => { "message" => "%{SYSLOGTIMESTAMP:Date:}\s(?<Server name:>(.*?))\s((.*?))\|(?<timestamp>\d+)\|(?<Message source:>[\w\s]+)\|(?<IP:>[0-9\.]+)\|(?<URL>[^\|]+)\|([^\|]+\|)?(?<User ID:>\d+)?\|?\|(\d+\|)?\|?(?<Message:>(.*))" }
      add_tag => [ "syslog", "grokked" ]
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]    
    }
		if ("_grokparsefailure" in [tags]) {
		  mutate {
				add_tag => [ "error" ]
			}
		}
    date {
      # Try to pull the timestamp from the 'timestamp' field (parsed above with
      # grok). The syslog time format looks like: "Oct 20 05:44:34"
      match => { "syslog_timestamp" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ] }
    }
    
  }
}

output {
  elasticsearch {
    # Setting 'embedded' will run  a real elasticsearch server inside logstash.
    # This option below saves you from having to run a separate process just
    # for ElasticSearch, so you can get started quicker!
    embedded => true
  }
  stdout { codec => rubydebug }
}