Compare 2 fields and drop the matching

Dr.Dark92 · February 21, 2023, 7:44am

Hi,
I am trying to make a Dashbaord for Bind9 engine,
in brief i have 3 indexes,

first index for Blacklist logs
second index for whitelist logs
third index for resolver logs.

the goal is : to drop any blacklisted domains or whitelisted domains from resolver logs.
my current progress, if i compare the field with a value it works fine E.g

if [URL] in ["website.com", "website2.com"] {
  	drop{}

however if i try to compare this way, it doesn't work

if [URL] in [Website] {
  	drop{}

this is my full logstash config file




########################## 1.0 - Stream-1-Resolver-logs-Stream1-Resolver ############################

input {
  beats {
  type => "resolver"
    port => 5044
  }
}


####################################################################################################

################################### timezone filter ########################################
filter {
  ruby {
    code => "
      require 'time'
      tz = Time.now.getlocal('+04:00')
      event.set('timezone', tz.strftime('%Y.%m.%d.%H'))
    "
 }
 }
#####################################################################################################

filter {
	if "domains" in [tags] {
    	grok { match => {"message" => "%{GREEDYDATA:BlacklistWebsite}"
  }

    }
  }
  }



########################## 1.1 - Stream-1-Resolver Resolver Grok ####################################
filter {

 if "resolver" in [tags] {
grok { match => {"message" => "%{MONTHDAY:Day}-%{MONTH:Month}-%{YEAR:Year} (?<time>\d{2}):%{GREEDYDATA}%{SPACE}%{WORD:Client}%{SPACE}@%{WORD:word}%{SPACE}%{IPV4:IP}#%{SPACE}%{WORD:request_Number}%{SPACE}%{DATA:word}:%{SPACE}%{DATA:ACTION_Type}:%{SPACE}%{GREEDYDATA:URL} IN A %{SPACE}%{GREEDYDATA:Method} +%{GREEDYDATA:Resolver}"
}
}


mutate {
	add_field => {"logtype" => "resolver"}
}
}
  if [URL] in [Website] {
  	drop{}
}
}
#####################################################################################################



################### 1.2 -  Stream-1-Resolver  Index #########################################
output {
if "resolver" in [tags] {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "resolver-%{timezone}"
    user => "elastic"
    password => "user@user.com"
    ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/http_ca.crt"
}
}
}
################################################################################################

########################## 2.0 - Stream-2-RPZ-logs-Stream2-RPZ ################################

####################################################################################################

########################## 2.2 - Stream-2-RPZ Grok #################################################

filter {
if "blacklist" in [tags] {
 grok { match=> {"message" => "%{MONTHDAY:Day}-%{MONTH:Month}-%{YEAR:Year} (?<time>\d{2}):%{GREEDYDATA}%{SPACE}%{WORD:Type}:%{SPACE}%{LOGLEVEL:LogLevel}:%{SPACE}%{WORD:Client}%{SPACE}@%{WORD:Data}%{SPACE}%{IPV4:IP}#%{WORD:Number}%{SPACE}\(%{GREEDYDATA:Website}\):%{SPACE}%{WORD:Type}%{SPACE}%{WORD:DNSRESPONSE}%{DATA:local-data}%{SPACE}%{WORD:Word}%{SPACE}%{WORD:Redirect}%{SPACE}%{DATA:URL}.*(?<RPZ>whitelist|blacklist)\.local\.com.*"
 }
 }
if [RPZ] == "whitelist" {
	mutate {
	replace => { "tags" => "whitelist" }
	add_field => {"logtype" => "whitelist"}
 }
 }
 }
 }
####################################################################################################

########################## 2.3 - Stream-2-RPZ Index #################################################

output {

 if [RPZ] == "blacklist" {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "blacklist-%{timezone}"
    user => "elastic"
    password => "elastic@elastic.com"
    ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/http_ca.crt"
}
}
if [RPZ] == "whitelist" {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "whitelist-%{timezone}"
    user => "elastic"
    password => "elastic@elastic.com"
    ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/http_ca.crt"
}
}
}

output {
if "domains" in [tags] {
stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "domains-%{timezone}"
    user => "elastic"
    password => "user@user.com"
    ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/http_ca.crt"
}
}
}


#####################################################################################################

i have been working on it for 3 weeks and cant get any progress for, planning to fix it using bash script but bash only works on single thread it wont work on large amount of data.

so thanks in advance

Majid Aljerdani

Badger · February 21, 2023, 5:27pm

You are doing that comparison in section 1.1 of your configuration, but [Website] does not exist until the grok in section 2.2 executes, so that comparison will never match.

system · March 21, 2023, 5:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IF conditional not dropping field Logstash	2	519	February 19, 2018
Logstash null fields to drop Logstash	5	1932	April 1, 2019
Field search using Logstash configuration Logstash	1	185	July 15, 2021
[SOLVED] Drop when a field is equal to Logstash	3	1238	July 6, 2017
Remove Specific Field matching pattern Logstash	5	754	April 19, 2023

Compare 2 fields and drop the matching

Related Topics