okay, this was quick. 
I was able to create the respective rule and implement it. There are now even more fields available, then I specified.
rule "Unifi USG-3P firewall messages"
when
contains(to_string($message.source), "usg", true)
then
set_fields(
grok(
pattern:"^.*?SRC=%{IP:source_ip} DST=%{IP:destination_ip}.*? PROTO=%{WORD:protocol} SPT=%{NUMBER:source_port} DPT=%{NUMBER:destination_port} .*?$",
value:to_string($message.message)
)
);
end
I added the rule to a Pipeline, which only contains this rule and is connected to a specific stream.
Why is the rule applied to the default stream as well? I do not mind, but as far as In know, this shouldn’t be?
Chris
