{
  "extractors": [
    {
      "title": "UniFi AP Events",
      "extractor_type": "grok",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "unifi_ap_event",
      "extractor_config": {
        "grok_pattern": "%{DATA:access_point} %{DATA:unifi_device_mac_address}(?:,%{DATA:ap_model})?: %{DATA:stahtd}: %{DATA:stahtd_process}\\[%{INT:stahtd_id}\\]: %{DATA:stahtd_event}: %{GREEDYDATA:json_data}"
      },
      "condition_type": "regex",
      "condition_value": "stahtd"
    },
    {
      "title": "UniFi Firewall Log",
      "extractor_type": "grok",
      "converters": [],
      "order": 1,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "unifi_fw",
      "extractor_config": {
        "grok_pattern": "%{DATA:device_name} \\[%{DATA:fw_rule_id}\\] DESCR=\\\"\\[%{DATA:fw_rule_group}\\]%{DATA:fw_rule_name}\\\" IN=%{DATA:fw_in_iface} OUT=%{DATA:fw_out_iface} MAC=%{DATA:fw_mac} SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{INT:ip_len} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:packet_id} DF PROTO=%{WORD:proto}(?: SPT=%{INT:src_port})?(?: DPT=%{INT:dst_port})?(?: SEQ=%{INT:seq})?(?: ACK=%{INT:ack})?(?: WINDOW=%{INT:window})?(?: SYN)?(?: URGP=%{INT:urgp})?(?: UID=%{INT:uid})?(?: GID=%{INT:gid})?(?: LEN=%{INT:payload_len})? MARK=%{DATA:fw_mark}"
      },
      "condition_type": "regex",
      "condition_value": "\\[.*\\] DESCR="
    }
  ],
  "version": "6.2.2"
}