Define a no existent field

PAU_SUREDA_COLL · April 11, 2018, 4:03pm

how can I define that there is no field called dir?
I tried that and it doesn't worked
if ![dir] {
}

magnusbaeck · April 11, 2018, 5:50pm

That's the correct way to do it. If you can boil down your configuration to the simplest possible example that reproduces your problem we can have a look at it.

PAU_SUREDA_COLL · April 12, 2018, 9:07am

Thanks for your reply, that's the code:
filter {
grok {
match => [ "message", "%{SYSLOG5424PRI:syslog_index} %{GREEDYDATA:message}" ]
overwrite => ["message"]
tag_on_failure => [ "failure_grok_fortigate" ]
}

kv{
	source => "message"
	value_split => "="
	field_split => " "
}

if [subtype] == "vpn" {
	if "inbound" in [dir] {
		mutate {
			add_field => {
				"ip_externa" => "%{remip}"
				"puerto_externo" => "%{remport}"
				"ip_interna" => "%{locip}"
				"puerto_interno" => "%{locport}"
				"sentido" => "recibir"
			}
			remove_field => [ "locip", "locport", "remip", "remport" ]
		}
	} else {
		if "outbound" in [dir] {
			mutate {
				add_field => {
					"ip_externa" => "%{remip}"
					"puerto_externo" => "%{remport}"
					"ip_interna" => "%{locip}"
					"puerto_interno" => "%{locport}"
					"sentido" => "enviar"
				}
				remove_field => [ "locip", "locport", "remip", "remport" ]
			}
		} else {
			 if ![dir] {
				mutate {
					add_field => {
						"ip_externa" => "%{remip}"
						"puerto_externo" => "%{remport}"
						"ip_interna" => "%{locip}"
						"puerto_interno" => "%{locport}"
						"sentido" => "recibir"
					}
					remove_field => ["remip", "remport", "locip", "locport" ]
				}
			}
		}
	}
} else {}

if [subtype] == "forward" or "webfilter" or "app-ctrl" {
	if "10." in [dstip] {
		mutate {
			add_field => {
				"ip_externa" => "%{srcip}"
				"puerto_externo" => "%{srcport}"
				"ip_interna" => "%{dstip}"
				"puerto_interno" => "%{dstport}"
				"sentido" => "recibir"
				}
			remove_field => [ "srcip", "srcport", "dstip" , "dstport" ]
			}
	} else {
		if "10." in [srcip] {
			mutate {
				add_field => {
					"ip_externa" => "%{dstip}"
					"puerto_externo" => "%{dstport}"
					"ip_interna" => "%{srcip}"
					"puerto_interno" => "%{srcport}"
					"sentido" => "enviar"
				}
				remove_field => [ "locip", "locport", "remip", "remport" ]
			}
		}
	}
} else {}

if [subtype] == "local" {
	if "10." in [srcip] {
		mutate {
			add_field => {
				"ip_externa" => "%{dstip}"
				"puerto_externo" => "%{dstport}"
				"ip_interna" => "%{srcip}"
				"puerto_interno" => "%{srcport}"
				"sentido" => "enviar"
			}
			remove_field => [ "srcip", "srcport", "dstip" , "dstport" ]
		}
	} else {
	mutate {
		add_field => {
			"ip_externa" => "%{srcip}"
			"puerto_externo" => "%{srcport}"
			"ip_interna" => "%{dstip}"
			"puerto_interno" => "%{dstport}"
			"sentido" => "recibir"
		}
		remove_field => [ "srcip", "srcport", "dstip" , "dstport" ]
	}
		} else {}

if [subtype] == "system" {
	mutate {
		remove_field => [ "srcip", "srcport", "dstip" , "dstport", "locip", "locport", "remip", "remport" ]
	}
} else {}
mutate {
rename => { "time" => "tiempo" }
rename => { "poluuid" => "id_poluu" }
rename => { "catdesc" => "descripcion_cat" }
rename => { "direction" => "direccion" }
rename => { "eventtype" => "tipo_evento" }
rename => { "hostname" => "nombre_host" }
rename => { "method" => "metodo" }
rename => { "profile" => "perfil" }
rename => { "reqtype" => "tipo_peticion" }
rename => { "type" => "tipo" }
rename => { "subtype" => "subtipo" }
rename => { "devname" => "nombre_equipo" }
rename => { "devid" => "id_equipo" }
rename => { "logid" => "id_log" }
rename => { "level" => "nivel" }
rename => { "logdesc" => "descripcion_log" }
rename => { "locport" => "puerto_local" }
rename => { "locip" => "ip_local" }
rename => { "action" => "accion" }
rename => { "user" => "usuario" }
rename => { "group" => "grupo" }
rename => { "xauthuser" => "x_auth_usuario" }
rename => { "xauthgroup" => "x_auth_grupo" }
rename => { "assignip" => "ip_asignada" }
rename => { "vpntunnel" => "tunel_vpn" }
rename => { "status" => "estado" }
rename => { "mode" => "modo" }
rename => { "stage" => "fase" }
rename => { "role" => "rol" }
rename => { "result" => "resultado" }
rename => { "totalsesion" => "sesiones_totales" }
rename => { "bandwidth" => "ancho_banda" }
rename => { "tunnelid" => "tunel_id" }
rename => { "tunneltype" => "tunel_tipo" }
rename => { "tunnelip" => "tunel_ip" }
rename => { "duration" => "duracion" }
rename => { "sentbyte" => "byte_enviado" }
rename => { "rcvdbyte" => "byte_recibido" }
rename => { "srcip" => "ip_origen" }
rename => { "srcport" => "puerto_origen" }
rename => { "dstip" => "ip_destino" }
rename => { "dstport" => "puerto_destino" }
rename => { "remip" => "ip_remota" }
rename => { "destinf" => "informacion_destino" }
rename => { "sessionid" => "id_sesion" }
rename => { "policyid" => "politica_id" }
rename => { "policytype" => "politica_tipo" }
rename => { "dstcountry" => "pais_destino" }
rename => { "srccountry" => "pais_origen" }
rename => { "service" => "servicio" }
rename => { "sentpkt" => "pkt_enviado" }
rename => { "crscore" => "cr_puntuacion" }
rename => { "craction" => "cr_accion" }
rename => { "crlevel" => "cr_nivel" }
remove_field => [ "message", "tags" ]
}

}

magnusbaeck · April 12, 2018, 12:18pm

I doubt that's the simplest possible example. It also doesn't include an example input string.

PAU_SUREDA_COLL · April 12, 2018, 1:03pm

Yes, I use that code, but I remove the input and the output 'cause the problem is in the filter

magnusbaeck · April 12, 2018, 1:57pm

Sure, but it's not what I asked for.

Chances are that you'll find the problem yourself while you're preparing the minimal example.

system · May 10, 2018, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.