Add_field not working

Hi, the following is my logstash conf file for passing a few sample audit log messages
sample messages:

type=SYSCALL msg=audit(1547800652.003:103): arch=c00000b7 syscall=200 success=no exit=-13 a0=c a1=ffffe65a3648 a2=10 a3=2 items=0 ppid=1 pid=5916 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atf_agent" exe="/usr/1aw/bin/atf_agent" subj=system_u:system_r:atf_agent_t key=(null)
type=SYSCALL msg=audit(1647800652.003:103): arch=c00000b7 syscall=200 success=no exit=-17 a0=c a1=ffffe65a3648 a2=10 a3=2 items=0 ppid=1 pid=5916 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atf_agent" exe="/usr/1aw/bin/atf_agent" subj=system_u:system_r:atf_agent_t key=(null)

logstash config file:

input {
  file {
    path => ["C:/elk stack/sample.log"]
    start_position => "beginning"
    sincedb_path => NULL 
    type => "audit"
  }
}

filter {
  if [type] == "audit" {
  grok {
    match => { "message" => "type=%{DATA:audit_type}\smsg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):.*?( msg=\'(?<sub_msg>.*?)\')?$" }
    named_captures_only => true
  }
  kv {
    exclude_keys => [ "msg", "type" ]
  }
  kv {
    source => "sub_msg"
  }
  date {
    match => [ "audit_epoch", "UNIX" ]
  }
  mutate {
    rename => [
      "auid", "uid_audit",
      "fsuid", "uid_fs",
      "suid", "uid_set",
      "ses", "session_id"
    ]
    remove_field => ['sub_msg', 'audit_epoch']
  }
      if [exit] == -1{
    mutate {
      add_field => { "Error" => "Operation not permitted" }
    }
  } else if [exit] == -2{
    mutate {
      add_field => { "Error" => "No such file or directory" }
    }
  } else if [exit] == -3{
    mutate {
      add_field => { "Error" => "No such process" }
    }
  } else if [exit] == -4{
    mutate {
      add_field => { "Error" => "Interrupted system call" }
    }
  } else if [exit] == -5{
    mutate {
      add_field => { "Error" => "I/O error" } 
    }
  } else if [exit] == -6{
    mutate {
      add_field => { "Error" => "No such device or address" }
    }
  } else if [exit] == -7{
    mutate {
      add_field => { "Error" => "Argument list too long" }
    }
  } else if [exit] == -8{
    mutate {
      add_field => { "Error" => "Exec format error" }
    }
  } else if [exit] == -9{
    mutate {
      add_field => { "Error" => "Bad file number" }
    }
  } else if [exit] == -10 {
    mutate {
      add_field => { "Error" => "No child processes" }
    }
  } else if [exit] == -11 {
    mutate {
      add_field => { "Error" => "Try again" } 
    }
  } else if [exit] == -12 {
    mutate {
      add_field => { "Error" => "Out of memory" }
    }
  } else if [exit] == -13 {
    mutate {
      add_field => { "Error" => "Permission denied" }
    }
  } else if [exit] == -14 {
    mutate {
      add_field => { "Error" => "Bad address" }
    }
  } else if [exit] == -15 {
    mutate {
      add_field => { "Error" => "Block device required" }
    }
  } else if [exit] == -16 {
    mutate {
      add_field => { "Error" => "Device or resource busy" }
    }
  } else if [exit] == -17 {
    mutate {
      add_field => { "Error" => "File exists" } 
    }
  } else if [exit] == -18 {
    mutate {
      add_field => { "Error" => "Cross device link" }
    }
  } else if [exit] == -19 {
    mutate {
      add_field => { "Error" => "No such device" }
    }
  } else if [exit] == -20 {
    mutate {
      add_field => { "Error" => "Not a directory" }
    }
  } else if [exit] == -21 {
    mutate {
      add_field => { "Error" => "Is a directory" }
    }
  } else if [exit] == -22 {
    mutate {
      add_field => { "Error" => "Invalid argument" }
    }
  } else if [exit] == -23 {
    mutate {
      add_field => { "Error" => "File table overflow" } 
    }
  } else if [exit] == -24 {
    mutate {
      add_field => { "Error" => "Too many open files" }
    }
  } else if [exit] == -25 {
    mutate {
      add_field => { "Error" => "Not a typewriter" }
    }
  } else if [exit] == -26 {
    mutate {
      add_field => { "Error" => "Text file busy" } 
    }
  } else if [exit] == -27 {
    mutate {
      add_field => { "Error" => "File too large" }
    }
  } else if [exit] == -28 {
    mutate {
      add_field => { "Error" => "No space left on device" }
    }
  } else if [exit] == -29 {
    mutate {
      add_field => { "Error" => "Illegal seek" }
    }
  } else if [exit] == -30 {
    mutate {
      add_field => { "Error" => "Read only file system" }
    }
  } else if [exit] == -31 {
    mutate {
      add_field => { "Error" => "Too many links" }
    }
  } else if [exit] == -32 {
    mutate {
      add_field => { "Error" => "Broken pipe" } 
    }
  } else if [exit] == -33 {
    mutate {
      add_field => { "Error" => "Math argument out of domain of func" }
    }
  } else if [exit] == -34 {
    mutate {
      add_field => { "Error" => "Math result not representable" }
    }
  }
}
}

output {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "testing"
    #index => "%{aircraft_id}"
  }
  stdout {codec =>  "rubydebug"}
}

However, the new field "Error" is not getting added. need help in figuring out why that is so
thanks in advance

Hi,

First, you should add the last condition :

else {
  mutate {
    add_field => { "Error" => "No error message if exit value is equal to ${[exit]}" }
  }
}

Second, I'm not sure but i think the kv filter return string values, and in your case, you compare the exit field with an integer, so i recommand you to convert it in integer before making if tests:

mutate {
  convert => {
    "exit" => "integer"
  }
}

Cad.

1 Like

Made both the changes, it works now
Thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.