Dissector mapping, field found in event but it was empty

Badger · November 16, 2017, 8:38pm

Dissect does not like this user's useragent string. All the fields get parsed correctly, including useragent, but it still gets tagged with _dissectfailure.

[2017-11-16T15:28:04,752][WARN ][org.logstash.dissect.Dissector] Dissector mapping, field found in event but it was empty {"field"=>"message", "event"=>{"web.method"=>"GET", "web.cbytes"=>"226", "web.sbytes"=>"294", "web.port"=>"8081", "web.timetaken"=>"62", "message"=>"2017-11-01 13:10:53 1.2.3.4 GET /favicon.ico - 8081 - 5.6.7.8 QQæµè§å¨+7.9.0+(iPhone;+iOS+11.0.3;+zh_CN) - 302 0 294 226 62", "web.referer"=>"-", "web.subresponse"=>"0", "web.useragent"=>"QQæµè§å¨+7.9.0+(iPhone;+iOS+11.0.3;+zh_CN)", "web.server_ip"=>"1.2.3.4", "@timestamp"=>2017-11-16T20:28:04.732Z, "web.request"=>"/favicon.ico", "@version"=>"1", "host"=>"sd-0364-9b52.nam.nsroot.net", "web.user_id"=>"-", "web.sysdate"=>"2017-11-01 13:10:53", "web.querystring"=>"-", "web.responsestatus"=>"302", "web.client_ip"=>"5.6.7.8"}}

The filter is

filter {
    dissect {
        mapping => { "message" => "%{web.sysdate} %{+web.sysdate} %{web.server_ip} %{web.method} %{web.request} %{web.querystring} %{web.port} %{web.user_id} %{web.client_ip} %{web.useragent} %{web.referer} %{web.responsestatus} %{web.subresponse} %{web.sbytes} %{web.cbytes} %{web.timetaken}" }
   }
}

According to 'od -ha' the user agent string starts with

0000000    5151    b5e6    e88f    88a7    99e5    2ba8    2e37    2e39
          Q   Q   f   5  si   h   '  bs   e  em   (   +   7   .   9   .

michaelcheung · November 21, 2017, 10:31am

I have similar issue also. I updated my docker base image from logstash 5.6.1 to 6.0.0. Using same input message and dissect filter, in 6.0.0, I get _dissectfailure in tags array. But other fields are parsed correctly. This is a slight concern as I would check any failure from tags afterwards.

michaelcheung · November 21, 2017, 12:02pm

I have further tested this issue. I guessed it may be related to string length checking in dissect. The line I suspect: https://github.com/logstash-plugins/logstash-filter-dissect/blob/v1.1.2/src/main/java/org/logstash/dissect/JavaDissectorLibrary.java#L187

I reproduce with following case, using utf8 chinese character.

dissect {
    mapping => { message => "%{name}" }
}

And message is simply 子

Eugene_Aikashev · December 1, 2017, 3:33pm

I have similar issue too. Any ideas?

[2017-12-01T17:08:47,940][WARN ][org.logstash.dissect.Dissector] Dissector mapping, field found in event but it was empty {"field"=>"message", "event"=>{"@version"=>"1", "host"=>"x.x.x.x", "@timestamp"=>2017-12-01T15:08:47.935Z, "message"=>"{"event_type":"FirewallAggregated_Event","ipv4":"x.x.x.x","hostname":"xxxx","source_uuid":"94d52e7b-680f-47a9-a82b-c87e3ff43e4d","occured":"01-Dec-2017 15:01:09","severity":"Warning","event":"Detected Port Scanning attack","source_address":"xxxx","source_address_type":"IPv4","source_port":63966,"target_address":"xxxx","target_address_type":"IPv4","target_port":1723,"protocol":"TCP","inbound":true,"aggregate_count":1}\n", "type"=>"eset"}}

Robert_Schultz · December 6, 2017, 5:54pm

Same here.

dissect {
  mapping => { "message" => "%{prefix}: %{kvp}" }
}

The message is
Info FIREWALL01 Remove: type=FWD|proto=TCP|srcIF=bond1.1|...
with [...] being key value pairs separated by "|" and lasting for 23 more pairs with a length of 346 characters, codec is charset => "ISO8859-1" on the input.
Message starts with a whitespace, this is not reproducible here somehow...

Seems to have appeared with the change from 6.0.0-rc to 6.0.0
Since then the "Info FIREWALL01 Remove:" could also not be dissected properly with "%{severity} %{name} %{action}:"

Any hints?

guyboertje · December 20, 2017, 4:33pm

This works for me. Note the three dissections. This can be combined into one though.

input {
  generator {
    lines => [
      " Info FIREWALL01 Remove: type=FWD|proto=TCP|srcIF=bond1.1"
    ]
    count => 1
  }
}

filter {
  dissect {
    mapping => {
      message => " %{prefix}: %{kvp}"
      prefix => "%{severity} %{name} %{action}"
      kvp => "%{?k1}=%{&k1}|%{?k2}=%{&k2}|%{?k3}=%{&k3}"
    }
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

Result:

{
      "sequence" => 0,
          "type" => "FWD",
           "kvp" => "type=FWD|proto=TCP|srcIF=bond1.1",
         "srcIF" => "bond1.1",
      "severity" => "Info",
    "@timestamp" => 2017-12-20T16:30:21.594Z,
          "host" => "Elastics-MacBook-Pro.local",
        "prefix" => "Info FIREWALL01 Remove",
        "action" => "Remove",
       "message" => " Info FIREWALL01 Remove: type=FWD|proto=TCP|srcIF=bond1.1",
      "@version" => "1",
         "proto" => "TCP",
          "name" => "FIREWALL01"
}

system · January 17, 2018, 4:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dissector mapping field not found in event Logstash	14	1255	August 18, 2021
Dissector mapping, field not found Logstash	2	929	January 8, 2020
Logstash dissect plugin prase doesn't correct with empty field in content Logstash	6	1601	November 30, 2017
Dissect failed finding my field in event Logstash	3	312	July 28, 2022
Filter multiple spaces with a single Dissect field? Logstash	3	1755	February 18, 2019

Dissector mapping, field found in event but it was empty

Related topics