How to filter logs coming from filebeat and apply a filter on message

Hi Folks,

I am using Logstash 7.8 version and i will be getting logs from multiple data sources as part of my requirement.

I wanted to apply a filter on my log message coming from filebeat and containing the string "pam_sm_open_session" so that i can add a tag to the message and send it to my desired destination.

I have tried using the below to get the desired output, how ever it is not working for me.

my log message: "Mar 18 23:20:01 PAM-unixteam[14***]: pam_sm_open_session(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF)"

I am using the below filter, to add a tag

if [agent_type] == "filebeat" {
if [message] =~ "pam_sm_open_session" { mutate { add_tag => [ "UNIX" ] } }
}

also tried like below.

if [agent_type] == "filebeat" {
if "pam_sm_open_session" in [message] { mutate { add_tag => [ "Unix ] } }
}

but both of them are not working and not giving the expected results.

Appreciate if anyone can help me in resolving this.. Thanks alot.

I would expect both the tests against [message] to work. Perhaps the test for [agent_type] is not working. What does the event look like if you use

output { stdout { codec => rubydebug } }

Thanks for the reply badger.

Yes I think the check for [agent_type] is the issue..

Also tried this way, still no luck.

If [agent] [type] == "filebeat"

And for rubydebug, will check and let u know.

Hi,

This is working now for me..

If [agent] [type] == "filebeat"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.