filter {
  if "horizon" in [tags] {
    grok {
      patterns_dir => ["/opt/logstash/patterns"]
      match => {
       "message" => [
                      "%{COMMONAPACHELOG}",
                      "\[%{APACHE_ERROR_TIMESTAMP:timestamp}\] \[%{DATA:module}:%{DATA:loglevel}\] \[pid %{POSINT:apache_pid}\:tid %{POSINT:apache_tid}\] ?(?:\[client %{IP:clientip}:%{POSINT:clientport}\] )?%{GREEDYDATA:logmessage}",
                      "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{SYSLOGHOST:host}%{SPACE}%{PROG:prog}%{SPACE}%{IP:clientip}%{SPACE}%{NOTSPACE}%{SPACE}%{NOTSPACE}%{SPACE}%{SYSLOG5424SD}%{SPACE}%{QS}%{SPACE}%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{QS}%{SPACE}%{QS}"
                    ]
      }
    }
    geoip {
      source => "clientip"
    }
    if ![loglevel]  {
      mutate {
        add_field => { "logmessage" => "%{request}" }
        add_field => { "module" => "horizon.access" }
        add_field => { "loglevel" => "INFO" }
        add_tag => [ "apache-access" ]
      }
    } else {
      mutate {
        replace => { "module" => "horizon.error.%{module}" }
        add_tag => [ "apache-error" ]
        uppercase => [ "loglevel" ]
      }
    }
  }
}