If conditional not working

uklipse · October 28, 2019, 8:49pm

I have a basic conf file that I'm trying to eventually drop dns traffic but for some reason I can't get the if conditionals to work anymore. Below is all that is in this conf file. I've also tried changing the if statement to if "flow" in [tags] as well but same result. I have other conf files with conditionals that are working just fine so I'm stumped on what's wrong with this one.

filter {
  if [tags] == "flow" {
     mutate {
       add_tag => [ "dns_traffic" ]
     }
  }
}

Badger · October 28, 2019, 9:40pm

[tags] is an array, so you should use

if "flow" in [tags]

Can you show an event either using

output { stdout { codec => rubydebug } }

or copy and paste from the JSON tab in Kibana?

uklipse · October 28, 2019, 10:50pm

I've tried the if "flow" in [tags] as well and same result but here is the json output.

{
  "_index": "flows-2019.44",
  "_type": "doc",
  "_id": "ot-NFG4Bd0HUI2PrhoEY",
  "_version": 1,
  "_score": null,
  "_source": {
    "dst_ip": "4.2.2.2",
    "bytes_out": 61,
    "tags": [
      "bro",
      "flow"
    ],
    "packets_in": 1,
    "event_time_received": "2019-10-28T22:47:29.556Z",
    "packets": 2,
    "conn_state": "SF",
    "transport": "udp",
    "conn_history": "Dd",
    "asn": {
      "asn": 3356,
      "ip": "4.2.2.2",
      "as_org": "Level 3 Communications, Inc."
    },
    "app": "dns",
    "geo": {
      "longitude": -97.822,
      "country_code2": "US",
      "latitude": 37.751,
      "location": {
        "lat": 37.751,
        "lon": -97.822
      },
      "ip": "4.2.2.2",
      "continent_code": "NA",
      "country_name": "United States"
    },
    "@version": "1",
    "src_port": 32768,
    "direction": "outbound",
    "src_ip": "192.168.1.15",
    "bytes_in": 125,
    "packets_out": 1,
    "host": {
      "name": "abc-nsm-0"
    },
    "bytes": 186,
    "dst_port": 53,
    "uuid": "2f49a8df-1a9d-45ec-9935-e52553a400d3",
    "@timestamp": "2019-10-28T22:47:17.149Z",
    "duration": 0.047811
  },
  "fields": {
    "@timestamp": [
      "2019-10-28T22:47:17.149Z"
    ]
  },
  "sort": [
    1572302837149
  ]
}

Badger · October 28, 2019, 11:32pm

Do you actually drop traffic that has the dns_traffic tag? Is it possible that the flow tag is getting added later in the process? Otherwise I cannot think of why this would not work.

uklipse · October 28, 2019, 11:40pm

Yep, that's exactly what it was. My new conf began with 1010 while the conf that adds the flow tags began with 5000. I changed it to 5010 but it still didn't work however if I change it to letters first ABC5010 then it works. What is the order for processing these files?

Badger · October 29, 2019, 1:32pm

The documentation states that if path.config is a directory (or wildcard) then "all files in that directory will be concatenated in lexicographical order and then parsed as a single config file". In lexigraphical order in Java numbers come before letters.

system · November 26, 2019, 1:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.