grok

[allamiro]

input {
  file {
    path => "/path/to/your/logfile.log"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
  }

  mutate {
    add_field => {
      "CEFVersion" => "0"
      "DeviceVendor" => "YourVendor"
      "DeviceProduct" => "YourProduct"
      "DeviceVersion" => "YourVersion"
      "DeviceEventClassId" => "YourEventID"
      "Name" => "%{syslog_program}"
      "Severity" => "Unknown"  # Assuming a default value, you can change it according to your needs.
    }
    replace => { "message" => "CEF:%{CEFVersion}|%{DeviceVendor}|%{DeviceProduct}|%{DeviceVersion}|%{DeviceEventClassId}|%{Name}|%{Severity}|rt=%{syslog_timestamp} src=%{syslog_hostname} spt=%{syslog_pid} msg=%{syslog_message}" }
  }
}

output {
  file {
    path => "/path/to/output/file"
  }
}