Can logstash tagging help me here?


(R) #1

Hi there,

I have file something like this; a dict file probably. Lets say doms.yaml

artput.date: Emotet
astheir.cricket: Emotet
callcar.stream: Emotet
catflys.online: Phishing
datatax.trade: Phishing
eastbus.racing: RAT
evenran.online: Ransomware
factsgo.science: APT
fallsbe.loan: cryptomining

And then I am parsing bind logs using logstash with field particularly
%{WORD:queried_domain}

So here how do I tag the message as soon as a any domain is found from doms.yaml file? Like

If factsgo.science is found and parsed by logstash it should tag APT OR
evenran.online is found shld be tagged by name RANSOMWARE and so on..

Can someone please help?

Thanks and Regards,
Blason R


(Christian Dahlqvist) #2

I think you should be able to use the translate filter for this.


(R) #3

hmm...I am wondering how? But any way let me dig further or would really appreciate if you can give me a small hint.

TIA

Thanks and Regards,
Blason R


(R) #4

OK - Thanks that resolved the issue :slight_smile:


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.