Can I reference a variable set in my GROK statement in an if statement later on in the filter?

sdvincent · February 11, 2019, 3:23am

The goal is to parse a line from syslog and if the program is sshd, parse the extracted message to grab the source IP. My grok line looks like this:

filter {
  if [fields][type] == "syslog" {
    grok {
      match => {
        "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:system.syslog.hostname} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"]
      }
      pattern_definitions => {
        "GREEDYMULTILINE"=> "(.|\n)*"
      }
      remove_field => ["message"]
    }
...
}

What I would like to have is something like:

filter {
  if [fields][type] == "syslog" {
    grok {
      match => {
        "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:system.syslog.hostname} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"]
      }
      pattern_definitions => {
        "GREEDYMULTILINE"=> "(.|\n)*"
      }
      remove_field => ["message"]
    }
    if "system.syslog.program" == "sshd" {
      grok {
        match => { "[system][syslog][message]" => [ "Disconnected from user root %{IP:[system][auth][ssh][ip]} ", "Accepted keyboard-interactive/pam for root from %{IP:[system][auth][ssh][ip]} " ] }
      }
      geoip {
        source => "system.auth.ssh.ip"
        target => "system.auth.ssh.geoip"
      }
      mutate {
        add_tag => [ "auth" ]
      }
    }
 }
}

Is this possible? I've tried it the way described above as well as trying:

if "[system][syslog][program]" == "sshd" {

But I've had no luck with either. Is this even possible to do?

sdvincent · February 11, 2019, 12:54pm

Turns out I was pretty close. I just had to drop the quotes (ugh!). Now my filter looks like this:

filter {
  if [fields][type] == "syslog" {
    grok {
      match => {
        "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:system.syslog.hostname} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"]
      }
      pattern_definitions => {
        "GREEDYMULTILINE"=> "(.|\n)*"
      }
      remove_field => ["message"]
    }
    if [system][syslog][program] == "sshd" {
      grok {
        match => { "[system][syslog][message]" => [ "Disconnected from user root %{IP:[system][auth][ssh][ip]} ", "Accepted keyboard-interactive/pam for root from %{IP:[system][auth][ssh][ip]} " ] }
      }
      geoip {
        source => "[system][auth][ssh][ip]"
        target => "[system][auth][ssh][geoip]"
      }
      mutate {
        add_tag => [ "auth" ]
      }
    }
    mutate {
      add_tag => [ "system", "syslog" ]
    }
    date {
      match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

I guess I was confused because under a match like in date or add_field, you wrap it in quotes but in if statements you don't.

system · March 11, 2019, 12:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.