PUT _ingest/pipeline/opnsense
{
  "description": "Parse OPNsense firewall logs",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": [
          "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{DATA:program}: %{GREEDYDATA:msg}"
        ]
      }
    },
    {
      "date": {
        "field": "timestamp",
        "target_field": "@timestamp",
        "formats": [
          "MMM  d HH:mm:ss",
          "MMM dd HH:mm:ss"
        ]
      }
    },
    {
      "rename": {
        "field": "host",
        "target_field": "source.host"
      }
    }
  ]
}