Security

Has anyone used Clearpass Syslog Targets with the ELK (Elasticsearch, Logstash, and Kibana)  Stack?

I'm getting data into ELK by using the SYSLOG Splunk export filters provided in the Splunk Integration Guide and the following Logstash configuration:

I'm wondering if anyone has created a Kibana dashboard to analyze the results.

Thanks.

input {
tcp {
port => 5000
type => syslog
}

udp {
port => 5000
type => syslog
}

}

filter {
if [type] == "syslog" and [message] =~ "CPPM" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA&colon;syslog_program} %{POSINT:syslog_pid} 1 0 %{GREEDYDATA&colon;syslog_message}" }
}
kv {
source => "syslog_message"
field_split => ","
prefix => "CPPM_"
add_tag => "CPPM, grokkd"
}
}
else if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA&colon;syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA&colon;syslog_message}" }
}
}
}

output {
if [type] == "syslog" and "_grokparsefailure" in [tags] {
file { path => "/tmp/failed_syslog_events-%{+YYYY-MM-dd}" }
}
else {
elasticsearch { host => "localhost" }
}

I've created a GitHub repository containing my logstash.conf file and the Export of my ClearPass Syslog configuration.  Comments and suggestions welcome!