Help with logstash output

Hi guys,

I am trying to capture login and logout events in programs such as TeamViewer and AnyDesk, installed in a Windows virtual machine. Then I send them to my Logstash server via the same Filebeat node, here is the input, filter and output configuration file. The output I'm using is shared for other logs, that's why I try to differentiate the logs of the programs when sending them to their index.

input {
  beats {
    port => "5047"
    type => "beats_programas"
    ssl => true
    ssl_certificate => "/etc/logstash/filebeat.crt"
    ssl_key => "/etc/logstash/filebeat.key"
    ssl_certificate_authorities => ["/etc/logstash/ca.crt"]
  }
}

filter {
  if [type] == "beats_programas" {
    mutate {
      add_field => { "received_at" => "%{@timestamp}" }
      add_field => { "received_from" => "%{host}" }
    }
    # TEAMVIEWER log in y log out
    if "AccountLogin::HandleLoginFinishedWithOld:" in [message] or "Account::Logout:" in [message] {
      mutate {
        add_tag => "teamviewer"
      }
      grok {
        match => { "message" => "%{DATESTAMP:timestamp} +%{NUMBER} +%{NUMBER} %{WORD} +%{GREEDYDATA:message}" }
      }
    # Not interesting logs
    } else {
        drop { }
    }
  }
}

output {
  elasticsearch {
    hosts => ["192.168.153.7:9200"]
    manage_template => false
    if [type] == "beats_programas" {
      if "teamviewer" in [tags] {
        index => "syslog.soc.beats_teamviewer"
      } else {
          index => "syslog.soc.beats_anydesk"
        }
    } else {
      index => "syslog.soc.%{[type]}"
    }
  }
}

The problem is that when I restart Logstash I get this message, but apparently the syntax I have is correct. I receive this error in logstash logs:

[2023-07-27T17:36:18,691][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "=>" at line 5, column 8 (byte 100) after output {\n elasticsearch {\n hosts => ["192.168.153.7:9200"]\n manage_template => false\n if ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in block in converge_state'"]}

I know it may be an absurd query but I would appreciate any help.
Thanks in advance and best regards,
Nacho

Line 5, replace with ssl_nabled

Deprecated in 6.6.0.

Replaced by ssl_enabled

This will not work, you cannot have conditionals inside the output plugin, in this case, inside the elasticsearch output plugin.

You need to move your conditionals.

Something like:

if [type] == "beats_programas" {
  if "teamviewer" in [tags] {
    elasticsearch { output with the index for this case }
  } else {
    elasticsearch { output with the index for this case } 
  }
} else {
    elasticsearch { output with the index for this case }
}
1 Like

You cannot have a conditional within the configuration of an output. See this post.

1 Like

I see. Thank you very much for the help!

Thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.