Defining "if - elseif - else" when setting up processors?

Elastic Stack Beats
1

Hi,

Some context:
AWS
Log Group: MyLogGroupForEC2s
Log Streams:
myhost1-System #EventViewer
myhost1-Application #EventViewer
myhost1-CloudWatchAgent #CustomLogTxt
and many more for the fictious "myhost1" and A LOT of different hosts.

CloudWatchAgent sends the entire raw EventViewer-event as XML into the "message"-field, OK so lets try and define a "processor" to dissect the message field but here is also my problem;

The EventViewer Application-log has the following field for EventID;
<EventID Qualifiers='.'>(.*?)<\/EventID>
While all other EventViewer-logs have the following field for EventID;
<EventID>(.*?)<\/EventID>
and as stated somewhere in the documentation regarding this, if a field is not found then no processing will occur so we need to differentiate between;
The EventViewer Application-log (w. "Qualifiers")
All other EventViewer-logs (w.o "Qualifiers")
and the custom txt-logs.

I seem to be missing a third option (i.e. "if-else") to do this if I am grasping this correctly;

- if:
    equal:
        - regexp:
            log_stream: "*-Application"
  then:
    - dissect:
        tokenizer: "<Computer>(.*?)<\/Computer>"
        field: "message"
        target_prefix: "Computer"
    - dissect:
        tokenizer: "<Message>(.*?)<\/Message>"
        field: "message"
        target_prefix: "EventID Message"
    - dissect:
        tokenizer: "<Channel>(.+?)<\/Channel>"
        field: "message"
        target_prefix: "Channel"
     - dissect:
        tokenizer: "<Level>(.+?)<\/Level>"
        field: "message"
        target_prefix: "Level"
     - dissect:
        tokenizer: "<EventID Qualifiers='.'>(.*?)<\/EventID>"
        field: "message"
        target_prefix: "EventID"

The above section would catch all log-streams that end with "-Application" but then I need to take into account all other EventViewer-logs (that are without "Qualifiers") and another section to parse / dissect the custom .txt-logs such as the CloudWatchAgent-logs.

It's easier for me to handle the exceptions from the "norm" of "EventID" rather then specify all the logs that should be parsed confirming to "EventID".

Might I be better off using Logstash instead of trying to define this process in Functionbeat?

Thank you in advance for any suggestions / help - TheSwede86

Update: Oh and I know the regex I wrote don't work since it uses reserved characters, need to figure that out but thats another issue.

2

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.