input {
  # TCP input for logback appender
  tcp {
    port => 5000
    codec => json_lines
  }

  # File input for server logs
  file {
    path => "/var/log/meldestelle/*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }

  # Parse JSON logs
  if [message] =~ /^\{.*\}$/ {
    json {
      source => "message"
    }
  }

  # Add application name
  mutate {
    add_field => { "application" => "meldestelle" }
  }
}

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "meldestelle-logs-%{+YYYY.MM.dd}"
  }

  # For debugging
  stdout {
    codec => rubydebug
  }
}