Conditional being ignored for grok match

Hi all,

I have a working filter for a specific log, and I am happy with that. However, one other log is being matched on it, even though the conditional I am using should not do so. I am matching on tags.

if "access" and "apache" in [tags] { grok { match => [ "message", "%{BACKOFFICEAPACHELOG}" ] overwrite => [ "timestamp", "message" ] tag_on_failure => [ "_grokfail_access" ] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] add_tag => [ "dateparsesuccess" ] } }

Filebeat sends a log, tagged with "apache" and "access" and this parses nicely. Another log on the same device is sent, but tagged differently: it is tagged "apache" but NOT "access". Why is this log being matched with this pattern? The log format is different, so the grok parse fails (time stamp format is different), and clutters my logstash log file. No bueno. Any thoughts?

Filebeat config here:

`filebeat:
prospectors:
-
paths:
- /var/log/php_cli.log
input_type: php_error
fields_under_root: true
fields:
host: bohost0
tags: ["php","error","bo","cli","internal"]
-
paths:
- /var/www/bo..local/logs/access.ssl.log
input_type: apache_access
fields_under_root: true
fields:
host: bohost0
tags: ["apache","access","bo","internal"]
-
paths:
- /var/www/bo..local/logs/error.ssl.log
input_type: apache_error
fields_under_root: true
fields:
host: bohost0
tags: ["apache","error","bo","internal"]

registry_file: /var/lib/filebeat/registry
`

if "access" and "apache" in [tags] {

This doesn't work as you think. Try this instead:

if "access" in [tags] and "apache" in [tags] {

Oh my goodness, my boolean needs some work then, obviously! Thanks, that did the trick. I assume it was parsing it as "If 'access'" (end logic) and then "if 'apache' in tags", then grok. Since my two logs both had apache in the tags, it was running it on both.

Awesome!