Different format for different output

skowron-line · October 31, 2019, 12:23pm

I would like to send 2 different format message to outputs so I have something like this

input {
    beats {
        port => 5044
    }
}
filter {
    clone {
        clones => ["message"]
        add_tag => ["siem"]
    }

    if "siem" not in [tags] {
        json {
            source => "message"
            remove_field => [ "agent", "host", "input", "ecs", "tags", "log" ]
        }
    }

    if "siem" in [tags] {
        json {
            source => "message"
            remove_field => [ "agent", "host", "input", "ecs", "log" ]
        }
        mutate {
            replace => {"message" => "%{local_time} %{level_name} %{message} %{ip} %{user} %{uri}" }            
        }
    }
}
output {
    
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "audit_%{+YYYY.MM.dd}"
        manage_template => true
        template => "/usr/share/logstash/template/audit.json"
        template_name => "audit"
        template_overwrite => true
    }

    if "siem" in [tags] {
        udp {
            host => "<host>"
            port => "<port>"
        }

        file {
            path => "/var/log/logstash/siem.log"
        }
    }
}

but in siem.log there is still json message

st3inbeiss · October 31, 2019, 12:37pm

If you use the clone Filter, a second, duplicated event is generated and processed as normal event by logstash.

What are you trying to achieve with your clone{} block?

On Clone:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-clone.html

skowron-line · October 31, 2019, 12:55pm

I wan to clone event and add him siem tag so I can catch him in mutate filter which will make me string message not json message

mutate {
            replace => {"message" => "%{local_time} %{level_name} %{message} %{ip} %{user} %{uri}" }            
        }

So I want to have
json going to elasticsearch
string going to siem

st3inbeiss · October 31, 2019, 1:25pm

My guess would be that the configuration of the clone-Filter poses an issue here.
What clones => ["message"] does is, it adds the type "message" to the cloned event. the better option would be to make another type of event like:

clone {
  clones => [ "clonedEvent" ]
}

and not adding a "siem" tag.
As conditional, you can then use something like:
if [type] == "clonedEvent" { ... }

system · November 28, 2019, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.