Filter Logstash based on field from Filebeat tags

Automation_Scripts · March 31, 2021, 11:27pm

Hi guys,

I need some help filtering some data from Filebeat in Logstash.
My original filebeat log looks liks this:
*** This is the log from docker from filebeat container

ssl.log

"@timestamp": "2021-03-31T23:14:55.742Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.11.2",
    "pipeline": "filebeat-7.11.2-zeek-ssl-pipeline"
  },
  "service": {
    "type": "zeek"
  },
  "input": {
    "type": "log"
  },
  "ecs": {
    "version": "1.7.0"
  },
  "log": {
    "file": {
      "path": "/pcap/ssl.log"
    },
    "offset": 0
  },
  "message": "#separator \\x09",
  "tags": [
    "zeek.ssl"
  ],
  "event": {
    "category": [
      "network"
    ],
    "type": [
      "connection",
      "protocol"
    ],
    "module": "zeek",
    "dataset": "zeek.ssl",
    "kind": "event"
  },
  "network": {
    "transport": "tcp"
  },
  "fileset": {
    "name": "ssl"
  },
  "zeek": {
    "ssl": {}
  },
  "agent": {
    "name": "b82ef4dedbb9",
    "type": "filebeat",
    "version": "7.11.2",
    "hostname": "b82ef4dedbb9",
    "ephemeral_id": "2a8c7d75-72ec-4e24-a98e-b651a06ce9b8",
    "id": "1e754282-83ed-422b-8a8e-cad5ca3772f0"
  },
  "host": {
    "name": "b82ef4dedbb9"
  }
}

How can I filter this log based on it's tag from Filebeat. I don't know how it looks back in logstash.
My pipeline is like this FIlebeat ==> Kafka ==> Logstash

filter {
  if [tags] == "zeek.ssl" {
    drop {}
}

Is this correct?

Thank you!

Badger · April 1, 2021, 12:18am

Not quite. [tags] is an array, so you need an array membership test:

if "zeek.sll" in [tags] { drop {} }

Automation_Scripts · April 1, 2021, 5:33am

Thank you man! You rock!

system · April 29, 2021, 5:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.