Hi Team,
I have server where messages are being parsed from file using grok expression and I have also messages coming from packetbeat shipper. I wanted to copy one field if certain criteria met into the one which is being parsed from grok.
Is this possible?
Please confirm?
e.g.
/var/log/exmaple.com -> grok filter
Field is domainName:
Packetbeat_client_ipaddr: 192.168.5.72
If domainName ~= test.ru
Then
copy packetbeat_client_ipaddr value to grok expression fields
Is this possible?
logstash certainly supports conditionals. That would likely be
if [domainName] =~ "test.ru" {
I do not know what you mean by "copy packetbeat_client_ipaddr value to grok expression fields". There are several functions of the mutate filter that might be appropriate.
Ok - Let me give you my actual fields
Here is my Grok Data from /var/log/example.log
action
Malicious-TLD
clientipaddr
192.168.5.111
message
21-Feb-2022 09:27:26.356 rpz: info: client @0x7f42481b6098 192.168.5.111#56501 (key.ru): rpz QNAME Local-Data rewrite key.ru/A/IN via key.ru.block.tld
origdom
key.ru/A/IN
qdomain
key.ru
rewritten
key.ru.block.tld
timestamp
2022-02-21 09:27:27 +05:30
And here is the data being received by packetbeat to logstash on port 5044
message
-
packetbeat_client_ip
192.168.5.74
packetbeat_destination_ip
192.168.5.111
packetbeat_dns_question_etld_plus_one
key.ru
packetbeat_dns_question_name
key.ru
packetbeat_dns_question_type
A
source
WIN-GKS07C392EJ
timestamp
2022-02-21 09:27:26 +05:30
So what I wanted to achieve is
copy packetbeat_client_ip
192.168.5.74
To
Grok expression so that it might look like this
action
Malicious-TLD
clientipaddr
192.168.5.111
**orignalip**
**192.168.5.74**
message
21-Feb-2022 09:27:26.356 rpz: info: client @0x7f42481b6098 192.168.5.111#56501 (key.ru): rpz QNAME Local-Data rewrite key.ru/A/IN via key.ru.block.tld
origdom
key.ru/A/IN
qdomain
key.ru
rewritten
key.ru.block.tld
timestamp
2022-02-21 09:27:27 +05:30
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.