filter {
  # Look for rsyslog in the program name and tag it as such, otherwise it's an openstack log.
  if [@fields][program] =~ /rsyslogd*/ {
    mutate {
      add_tag => [ "rsyslogd" ]
      add_field => {
        "os_program" => "rsyslogd"
        "openstack_message" => "%{@message}"
        "os_level" => "%{severity_label}"
      }
      remove_tag => [ "_grokparsefailure" ]
    }
  }
 #---------------------------------------------------------------------------
 # Parse & tag generic openstack log message
 else {
      grok {
        match => { "@fields[program]" => "%{CONTAINER_STRIP:os_program}" }
        remove_tag => [ "_grokparsefailure" ]
        add_tag => [ "_parse_start", "%{os_program}", "openstack-generic" ]
      }
  }
}