How to call a command from within a mutate email block then include the output in the email?


(Tom) #1

(Rephrasing)

We're trying to achieve the following:

  1. Retrieve a UID from a log file entry / line.
  2. Lookup that UID to get the real User Name.
  3. Email the Log Entry / Line , the UID and the User Name (based on the UID) to a set of recipients.

Currently trying the following, which does lookup but cannot get the Log Entry AND the looked up User Name to email out:

if [key] == "transfer" {
mutate { add_tag => "email" }
ruby {
code => "event['userdetails'] = %x( /usr/bin/getent passwd event['uid'] )"
}

We looked at doing something like this:

input {
exec {
command => '/usr/bin/getent passwd 2827362'
}
}

but then we're not sure how to pass the output of the command into the email block to be sent out. The 'uid' is retrieved from a log file and we're trying to look up the user before sending the email. How can we achieve this?

Cheers,
Tom


(Magnus Bäck) #2

How about using a translate filter to map the uid to a username? A ruby filter similar to what you have above should also work but it clearly less efficient.


(Tom) #3

Thanks Magnus,

I agree. I would prefer an integrated solution, if possible.

Could you please direct me to some materials that I could read on that or an example? Still relatively new to salt.

I need to call this from inside the email block by passing a UID to the command, then reading the output and including it in the email I'm about to send.

Cheers,
Tom


(Magnus Bäck) #4

Could you please direct me to some materials that I could read on that or an example?

https://www.elastic.co/guide/en/logstash/current/plugins-filters-translate.html

I'm sure the archives of these forums contain concrete examples.

Still relatively new to salt.

Salt?

I need to call this from inside the email block by passing a UID to the command, then reading the output and including it in the email I'm about to send.

The translate filter allows you to look up the uid and store the resulting username in another field. This field can then be referenced in your email output.


(Tom) #5

Sorry about that. Logstash. While writing this I was talking with someone about salt and the word slipped in. :frowning:


(Tom) #6

Magnus, in your reply, I'm thinking you're only referring to the conversion of the UID to a username, not the rest of my questions? This also looks like a static assignment that's possible via the translate functions not something where we can pass a UID variable to translate and it goes and looks up the user on the system.

We do not know what the UID will be and need to look that up dynamically. (I've edited and clarified the original ask above.)

Cheers,
Tom


(Magnus Bäck) #7

If the mappings really can't be static you could, as I said, use a ruby filter that runs the command to dynamically make the mapping. If that isn't performant enough, perhaps you can run an external service and use a ruby filter to query that service via e.g. HTTP?


(Tom) #8

Allright, will try a Ruby filter.

Thanks Magnus.


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.