Handle the new journald based logs

These logs have slightly more information. Also they have syslog
timestamps not iso8601 timestamps.

Change-Id: I7eaa35b3259d17f7e1f5f69e5acf41bddec685f7

filters/openstack-filters.conf

@@ -22,7 +22,7 @@ filter {
   } else if "oslofmt" in [tags] {
     multiline {
       negate => true
-      pattern => "^%{TIMESTAMP_ISO8601} "
+      pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP}) "
       what => "previous"
       stream_identity => "%{host}.%{filename}"
     }
@@ -35,7 +35,7 @@ filter {
       # NUMBER being required element here is important, otherwise
       # ERROR messages just fold into the previous messages, which are
       # typically INFO.
-      pattern => "^%{TIMESTAMP_ISO8601}%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)"
+      pattern => "^(%{TIMESTAMP_ISO8601}|%{SYSLOGTIMESTAMP})%{SPACE}%{NUMBER}%{SPACE}(TRACE|ERROR)"
       what => "previous"
       stream_identity => "%{host}.%{filename}"
     }
@@ -43,7 +43,7 @@ filter {
       # Do multiline matching as the above mutliline filter may add newlines
       # to the log messages.
       # TODO move the LOGLEVELs into a proper grok pattern.
-      match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}?%{SPACE}?(?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }
+      match => { "message" => "(?m)^(%{TIMESTAMP_ISO8601:logdate}|%{SYSLOGTIMESTAMP:logdate})%{SPACE}(%{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:|%{NUMBER:pid})?%{SPACE}?(?<loglevel>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) \[?\b%{NOTSPACE:module}\b\]?%{SPACE}?%{GREEDYDATA:logmessage}?" }
       add_field => { "received_at" => "%{@timestamp}" }
     }
   } else if "apachecombined" in [tags] {