Executing bash script in logstash's filter and geting data back to field

Elastic Stack Logstash
1

Hello friends!
I need some help with my logstash config.

I want to get event field "winlog.event_data.ObjectName" and take it to a bash script.
Then I want to get the result back and put it in the "winlog.event_data.ObjectName".
Is it possible with rub filter or smth like that?

Here is the config:

input {
   beats {
      port => 5140
    }
  }

filter {
    if [winlog.event_data.ObjectType]  {
        ruby {
          code => 'require "open3"
          winlog = event.get("winlog.event_data.ObjectName")
          cmd =  "/etc/logstash/script/ldap_search.sh #{winlog}"
          stdin, stdout, stderr = Open3.popen3(cmd)
          event.set("winlog.event_data.ObjectType", stdout.read)
          err = stderr.read
          if err.to_s.empty?
            filter_matched(event)
          else
            event.set("winlog.event_data.ObjectType", err)
          end'
        remove_field => ["tags"]
       }
    }
}

PS:
"ldap_search.sh" script does:
Turns the value like this "%{1ee131bd-72b1-47ae-8d79-ba4bd881a86b}"
Into the value like that "DC=AgentSmith,DC=example.ru,DC=ru"
It can be used to get the "DistingushedName" of an Active Directory object that was last changed.
Example:
/etc/logstash/script/ldap_search.sh %{1ee131bd-72b1-47ae-8d79-ba4bd881a86b}
stdout:
"DC=AgentSmith,DC=example.ru,DC=ru

2

logstash supports periods in field names, so to refer to fields that contain other objects you must use [winlog][event_data][ObjectType]. That is true in the ruby filter too.

1 Like
3

Thanks!
I will try it and go back soon.

4

You are my savior!
The config like that is working!

input {
   beats {
      port => 5140
    }
  }

filter {
#   if [winlog][event_data][ObjectType]  {
        ruby {
         code => 'require "open3"
         win = event.get("[winlog][event_data][ObjectName]")
         cmd =  "/usr/bin/bash /etc/logstash/script/ldap_search.sh #{win}"
         stdin, stdout, stderr = Open3.popen3(cmd)
         event.set("[winlog][event_data][ObjectName]", stdout.read)
         err = stderr.read
         if err.to_s.empty?
           filter_matched(event)
         else
           event.set("[winlog][event_data][ObjectName]", err)
         end'
        remove_field => ["tags"]
       }
    }
#}

PS:
I would be glad to include that filter into the official logstash-plugins, because there are no any plugins we can use to change the winlog.event_data.ObjectName to readable string while parsing Microsoft Security Log, but later . . .

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.