How to save and delete documents when login or logout event occurs

a86236df74eecab0f8a3 · February 1, 2019, 12:40am

Hi everyone.
I want to show list the number of active users in VPN log using logstash.
I distinguished VPN logs login and logout using tags filed. So I have separate records for Login and Logout.

This is how I think.

Save the user's value when login using ruby code in the filter.
If the "tags" is login in the output, store it in the new index.
If "tags" is logout, find the same ID in the new index where you saved the login and delete it.

filter{
kv {
include_keys => [ "date", "time", "action", "user", "status", "reason"]
}
.
.
if "login successfully" in [reason] {
mutate { add_tag => "login" }
ruby {
init => "@@user=''"
code => "
@@user=event.get('user')
"
}
}
.
.
}
output {
if "login" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "activeuser"
}
} else if "logout" in [tags] {
ruby {
code => "
if event.get('user') == @@user
elasticsearch {
hosts => ["localhost:9200"]
index => "activeuser"
document_id => "%{id}"
action => "delete"
}
end
"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "vpntest"
}
}
stdout { codec => rubydebug }
}

what should i do?
plus) When "tags" have login or logout value, I want to store it in the new index(activeuser) as well as in the existing index(vpntest). How is it possible? I tried but it did not work well.

Thanks for your help

Badger · February 1, 2019, 1:35am

Clearly you have understood some things really well. However, if you are using class variables (@@foo) to save data between filters then I would lean towards an aggregate filter.

Logstash consumes events from inputs, passes them through filters, and writes them to outputs. The logstash configuration syntax does not support things like

ruby {
    code => "
         if event.get('user') == @@user
              elasticsearch {
                  hosts => ["localhost:9200"]
                  index => "activeuser"
                  document_id => "%{id}"
                  action => "delete"
           end
    "
}

If you can show a dozen lines of the input (expurgated to remove sensitive data) it would be much easier to understand what your requirements are.

a86236df74eecab0f8a3 · February 1, 2019, 2:07am

HI Badger
here is it.

input {
file{
path=>"/var/tmp/vpn.log"
start_position=>"beginning"
sincedb_path => "/dev/null"
}
}

Is it impossible the value saved using Ruby code(@@foo) not available in the output? If I use aggregate filter, can I use it in the output?

Badger · February 1, 2019, 2:34pm

When I said input I was referring to the contents to /var/tmp/vpn.log

system · March 1, 2019, 2:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.