Parsing & Enrichment
Custom Grok
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}
Tag Enrichment
if ip in blocklist then tag: ["suspicious","blocklist-hit"]
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}
if ip in blocklist then tag: ["suspicious","blocklist-hit"]