Comparing data from two different source

Elastic Stack Logstash
1

Greetings, everyone. I have a trouble on comparing two data sources. What i want to do is check message field on "/var/log/auth.log" and see if it contains a word / string from "test" database table. Is this the right way to do the matching?


input {
jdbc
  {
    jdbc_driver_class => "com.mysql.jdbc.Driver"
    jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
    jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem"
    jdbc_user => "root"
    jdbc_password => "toor"
    schedule => "* * * * *"
    statement => ["SELECT * FROM test"]
  }

#jdbc
#  {
#    jdbc_driver_class => "com.mysql.jdbc.Driver"
#    jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
#    jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem?user=root&password=toor"
#    jdbc_user => "root"
#    jdbc_password => "toor"
#    schedule => "* * * * *"
#    statement => ["SELECT * FROM asset"]
#  }

	file {
	path => "/var/log/auth.log"
	     }

}




filter {

#jdbc_streaming {
#	jdbc_driver_class => "com.mysql.jdbc.Driver"
#    	jdbc_driver_library => "/home/donny/Downloads/mysql-connector-java-8.0.17.jar"
#    	jdbc_connection_string => "jdbc:mysql://192.168.43.250/siem"
#    	jdbc_user => "root"
#    	jdbc_password => "toor"        
#	statement => "SELECT evdesc FROM test"
#        parameters => { "evdesc" => "evlock"}
#        target => "evlock"
#    }


if [message] in [evdesc] {
  mutate {
    add_field => {
      "exists in database" => true
    }
  }
}





}
output {

elasticsearch
  {
    hosts => ["192.168.43.250:9200"]
    index => "correlation-%{+YYYY.MM.dd}"
  }

stdout{ codec => rubydebug }

}

I tried running above configurations but didnt see the new field added in Kibana. Thanks in advance.

2

anyone?

3

Can you post the stdout of the configuration how the data is parsed

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.