filter {
  if "keystone-access" in [tags] {
    grok {
      match => { "message" => "%{CISCOTIMESTAMP:keystone_access_timestamp}%{SPACE}%{SYSLOGHOST:log_host}%{SPACE}%{SYSLOGPROG:prog}%{SPACE}%{TIMESTAMP_ISO8601:keystone_timestmp}%{SPACE}%{NUMBER:pid}%{SPACE}%{NOTSPACE:loglevel}%{SPACE}%{NOTSPACE:module}%{SPACE}%{SYSLOG5424SD:requestid}%{SPACE}%{WORD:verb}%{SPACE}%{NOTSPACE:request}" }
    }
  }
  if "keystone" in [tags] {
    if "apache-access" in [tags] {
      grok {
        match => { "message" => "%{COMMONAPACHELOG}" }
      }
      mutate {
        add_field => { "logmessage" => "%{request}" }
        add_field => { "module" => "keystone.access" }
        add_field => { "loglevel" => "INFO" }
      }
    } else if "apache-error" in [tags] {
      grok {
       patterns_dir => ["/opt/logstash/patterns"]
        match => { "message" => "%{KEYSTONE_SUBSECOND_TIMESTAMP:keystone_subsecond_timestamp} %{STANDARD_TIMESTAMP:standard_timestamp} %{NUMBER:pid} %{DATA:loglevel} %{DATA:module} \[%{DATA:requestid}\] %{WORD:verb} %{NOTSPACE:request}" }
      }
      mutate {
        replace => { "module" => "keystone.error.%{module}" }
        uppercase => [ "loglevel" ]
      }
    }
  }
}