Comparing data from two different source

Greetings, everyone. I have a trouble on comparing two data sources. What i want to do is check message field on "/var/log/auth.log" and see if it contains a word / string from "test" database table. Is this the right way to do the matching?

input {
jdbc
  {
    jdbc_driver_class => "com.mysql.jdbc.Driver"
    jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
    jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem"
    jdbc_user => "root"
    jdbc_password => "toor"
    schedule => "* * * * *"
    statement => ["SELECT * FROM test"]
  }

#jdbc
#  {
#    jdbc_driver_class => "com.mysql.jdbc.Driver"
#    jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
#    jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem?user=root&password=toor"
#    jdbc_user => "root"
#    jdbc_password => "toor"
#    schedule => "* * * * *"
#    statement => ["SELECT * FROM asset"]
#  }

	file {
	path => "/var/log/auth.log"
	     }

}




filter {

#jdbc_streaming {
#	jdbc_driver_class => "com.mysql.jdbc.Driver"
#    	jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
#    	jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem"
#    	jdbc_user => "root"
#    	jdbc_password => "toor"        
#	statement => "SELECT evdesc FROM test"
#        parameters => { "evdesc" => "evlock"}
#        target => "evlock"
#    }


if [message] in [evdesc] {
  mutate {
    add_field => {
      "exists in database" => true
    }
  }
}





}
output {

elasticsearch
  {
    hosts => ["192.168.43.250:9200"]
    index => "correlation-%{+YYYY.MM.dd}"
  }

stdout{ codec => rubydebug }

}

I tried running above configurations but didnt see the new field added in Kibana. Thanks in advance.

anyone?

Can you post the stdout of the configuration how the data is parsed

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.