Index: /branches/amp_3_7_1_15_syslog/conf/CentOS-Base.repo
===================================================================
--- /branches/amp_3_7_1_15_syslog/conf/CentOS-Base.repo	(nonexistent)
+++ /branches/amp_3_7_1_15_syslog/conf/CentOS-Base.repo	(working copy)
@@ -0,0 +1,24 @@
+[base]
+name=CentOS-$releasever - Base
+baseurl=http://vault.centos.org/7.9.2009/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+ 
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=http://vault.centos.org/7.9.2009/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+ 
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=http://vault.centos.org/7.9.2009/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+ 
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=http://vault.centos.org/7.9.2009/centosplus/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Index: /branches/amp_3_7_1_15_syslog/conf/README.md
===================================================================
--- /branches/amp_3_7_1_15_syslog/conf/README.md	(nonexistent)
+++ /branches/amp_3_7_1_15_syslog/conf/README.md	(working copy)
@@ -0,0 +1,65 @@
+# Configuration and Installation Instructions
+
+## 1. Update CentOS-Base.repo
+
+To ensure you have access to the correct repositories, update the `/etc/yum.repos.d/CentOS-Base.repo` file with the content provided in `conf/CentOS-Base.repo`.
+
+1.  Backup your existing repository file:
+    ```bash
+    sudo cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
+    ```
+2.  Overwrite the file with the provided configuration:
+    ```bash
+    sudo cp conf/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo
+    ```
+3.  Clean and update yum cache:
+    ```bash
+    sudo yum clean all
+    sudo yum makecache
+    ```
+
+## 2. Install Logstash 7
+
+Follow these steps to install Logstash 7 on CentOS 7.
+
+1.  Import the Elastic PGP Key:
+    ```bash
+    sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    ```
+2.  Create the Logstash repository file `/etc/yum.repos.d/logstash.repo` with the following content:
+    ```ini
+    [logstash-7.x]
+    name=Elastic repository for 7.x packages
+    baseurl=https://artifacts.elastic.co/packages/7.x/yum
+    gpgcheck=1
+    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
+    enabled=1
+    autorefresh=1
+    type=rpm-md
+    ```
+3.  Install Logstash:
+    ```bash
+    sudo yum install logstash
+    ```
+4.  Enable and start the Logstash service:
+    ```bash
+    sudo systemctl enable logstash
+    sudo systemctl start logstash
+    ```
+
+## 3. Configure Logstash for Syslog Collection
+
+Use the provided `syslog.conf` to configure Logstash for collecting syslog messages.
+
+1.  Copy the configuration file to the Logstash configuration directory:
+    ```bash
+    sudo cp conf/syslog.conf /etc/logstash/conf.d/
+    ```
+2.  Test the configuration:
+    ```bash
+    sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
+    ```
+3.  Restart Logstash to apply changes:
+    ```bash
+    sudo systemctl restart logstash
+    ```
Index: /branches/amp_3_7_1_15_syslog/conf/syslog.conf
===================================================================
--- /branches/amp_3_7_1_15_syslog/conf/syslog.conf	(nonexistent)
+++ /branches/amp_3_7_1_15_syslog/conf/syslog.conf	(working copy)
@@ -0,0 +1,134 @@
+input {
+  # TCP Syslog on 6514
+  tcp {
+    port => 6514
+    type => "syslog"
+  }
+
+  # UDP Syslog on 6514
+  udp {
+    port => 6514
+    type => "syslog"
+  }
+
+  # Beats input
+  beats {
+    port => 5044
+    type => "beats"
+  }
+}
+
+filter {
+  # Fix host mapping: host should be an object, not a string
+  mutate {
+    rename => { "host" => "[host][name]" }
+  }
+
+  if [type] == "syslog" {
+
+    ############################################################
+    # Stage 1: Extract PRI
+    ############################################################
+    syslog_pri { }
+
+    ############################################################
+    # Stage 2: RFC5424 Parsing
+    ############################################################
+    grok {
+      match => {
+        "message" => [
+          "^<%{NUMBER:syslog_pri}>%{NUMBER:syslog_version} %{TIMESTAMP_ISO8601:syslog_timestamp} %{HOSTNAME:hostname} %{WORD:app} %{NOTSPACE:procid} %{NOTSPACE:msgid} (\[%{DATA:syslog_sd}\]|-) %{GREEDYDATA:syslog_message}$"
+        ]
+      }
+      tag_on_failure => ["_grok_rfc5424_fail"]
+    }
+
+    if "_grok_rfc5424_fail" not in [tags] {
+      mutate { add_tag => ["rfc5424"] }
+    }
+
+    ############################################################
+    # Stage 3: RFC3164 Fallback
+    ############################################################
+    if "_grok_rfc5424_fail" in [tags] {
+      grok {
+        match => {
+          "message" => [
+            "^<%{NUMBER:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{DATA:app}(?:\[%{NUMBER:procid}\])?: %{GREEDYDATA:syslog_message}$"
+          ]
+        }
+        tag_on_failure => ["_grok_rfc3164_fail"]
+      }
+
+      if "_grok_rfc3164_fail" not in [tags] {
+        mutate { add_tag => ["rfc3164"] }
+      }
+    }
+
+    ############################################################
+    # Stage 3.5: Non-standard / Fallback
+    ############################################################
+    if "_grok_rfc3164_fail" in [tags] {
+      mutate {
+        remove_tag => ["_grok_rfc5424_fail", "_grok_rfc3164_fail"]
+        add_tag => ["non_standard_syslog"]
+        copy => { "message" => "syslog_message" }
+      }
+    }
+
+    ############################################################
+    # Stage 4: Extract structured-data fields
+    ############################################################
+    if [syslog_sd] {
+      kv {
+        source => "syslog_sd"
+        field_split => " "
+        value_split => "="
+        trim_key => "\" "
+        trim_value => "\" "
+        remove_char_value => "\""
+      }
+
+      # Cleanup extra leftover quotes
+      mutate {
+        gsub => [
+          "tzKnown", "\"", "",
+          "isSynced", "\"", "",
+          "syncAccuracy", "\"", ""
+        ]
+      }
+    }
+
+    ############################################################
+    # Stage 5: Make message clean (remove [SD-ID ...] prefix)
+    ############################################################
+    mutate {
+      gsub => [
+        "syslog_message", "^\[[^\]]+\]\s*", ""
+      ]
+    }
+
+    ############################################################
+    # Stage 6: Normalize timestamp
+    ############################################################
+    date {
+      match => [
+        "syslog_timestamp",
+        "ISO8601",
+        "MMM  d HH:mm:ss",
+        "MMM dd HH:mm:ss"
+      ]
+      target => "@timestamp"
+      remove_field => ["syslog_timestamp"]
+    }
+  }
+}
+
+
+output {
+  elasticsearch {
+    hosts => ["localhost:9200"]
+    index => "acm_syslog-%{+YYYY.MM.dd}"
+  }
+  stdout { codec => rubydebug }
+}
\ No newline at end of file