filter {
  if [fileset][module] == "system" and [fileset][name] == "auth" {
    mutate {
      add_tag => ["auth"]
    }
  }

  if [message] =~ /timeout|timed out|connection reset/i {
    mutate { add_tag => ["timeout"] }
  }

  # Пример grok для Nginx (если шлёте логи nginx через file input):
  # grok {
  #   match => { "message" => "%{NGINXACCESS}" }
  # }
}