Checking Existence of Sub-Field Revisited

rudyamid · January 18, 2019, 8:57pm

Looking at previous topics, it seems like the IF-Statement check works, but I haven't been able to prove it in my environment. The logstash conf file looks like this:

  if ![system][auth][ssh][ip] {
   geoip {
    source => "[system][auth][ssh][ip]"
    target => "[system][auth][ssh][geoip]"
   }
  }

But the geoip function is still called, producing _geoip_lookup_failure, ignoring the ! expression:

{
    "_index" : "syslogsb-2019.01",
    "_type" : "doc",
    "_id" : "Yz5BXmgBYjx6Cscsjw4P",
    "_score" : 1.0,
    "_source" : {
      "input" : {
        "type" : "log"
      },
      "@timestamp" : "2019-01-17T23:59:35.000Z",
      "tags" : [
        "system",
        "auth",
        **"_geoip_lookup_failure"**
      ],
      "beat" : { },
      "prospector" : {
        "type" : "log"
      },
      "source" : "/var/log/auth.log",
      "offset" : 195606,
      "system" : {
        "auth" : {
          "timestamp" : "Jan 17 15:59:35",
          "message" : "pam_unix(sshd:auth): check pass; user unknown",
          "hostname" : "myhost",
          "program" : "sshd",
          "pid" : "8388"
        }
      }
    }

I'm not sure what's wrong with it. Can anyone confirm?

Thanks
Rudy

Badger · January 18, 2019, 9:22pm

That should not be negated.

rudyamid · January 18, 2019, 9:38pm

So what should be the expression?

Badger · January 18, 2019, 10:06pm

if ![system][auth][ssh][ip] {
   geoip {
       source => "[system][auth][ssh][ip]"

This says "if the field [system][auth][ssh][ip] does not exist then run geoip against it". That will always fail. You should use

if [system][auth][ssh][ip] {

rudyamid · January 18, 2019, 10:25pm

Ah, that makes sense. forehead slap
What threw me off was when system.auth.ssh.ip does exists, and the same IF-Expression ran geoip anyway.

{
    "_index" : "syslogsb-2019.01",
    "_type" : "doc",
    "_id" : "1D5FXmgBYjx6Cscs6BTc",
    "_score" : 1.0,
    "_source" : {
      "input" : {
        "type" : "log"
      },
      "@timestamp" : "2019-01-18T00:04:22.000Z",
      "tags" : [
        "system",
        "auth"
      ],
      "beat" : { },
      "prospector" : {
        "type" : "log"
      },
      "source" : "/var/log/auth.log",
      "offset" : 199546,
      "system" : {
        "auth" : {
          "ssh" : {
            "geoip" : {
              "ip" : "202.129.29.135",
              "continent_code" : "AS",
              "country_code2" : "TH",
              "country_code3" : "TH",
              "location" : {
                "lat" : 13.75,
                "lon" : 100.4667
              },
              "latitude" : 13.75,
              "longitude" : 100.4667,
              "timezone" : "Asia/Bangkok",
              "country_name" : "Thailand"
            },
            "event" : "Failed",
            "port" : "34411",
            "ip" : "202.129.29.135",
            "method" : "password"
          },
          "timestamp" : "Jan 17 16:04:22",
          "hostname" : "myhost",
          "pid" : "8820",
          "user" : "cron"
        }
      }
    }
  }

Anyway, it works now. Thanks for your help!

regards
Rudy

system · February 15, 2019, 10:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.