IF Statement being ignored

CamTheMan · August 30, 2018, 4:27am

Hello,

I have a (simplified) filter rule like:

filter {
    if "10.170.10.6" or "10.170.11.6" or "10.1.3.23" in [host] {
        grok {
            match => { "message" => [
                '^Accepted keyboard-interactive/pam for %{USERNAME:username} from %{IP:src_ip} port %{POSINT:src_port}' ] }
        }
        
        mutate {
            add_tag => [ "hardware" ]
        }
    
}
}

But for some reason logstash tags all events with the tag "hardware" EVEN if they are not listed as a host in "10.170.10.6" or "10.170.11.6" or "10.1.3.23".

Why is this happening? It's like the 'IF' statement is not being honored.

Any ideas on how to tag the messages only for the required hosts?

Thanks
Cam

magnusbaeck · August 30, 2018, 4:33am

if "10.170.10.6" or "10.170.11.6" or "10.1.3.23" in [host] {

Natural language doesn't always translate into if expressions. This expression probably means "if 10.170.10.6 is a non-empty string (which is always is) or 10.170.11.6 is a non-empty string (which is always is) or 10.1.3.23 is a substring of the contents of the host field". This is what you're looking for:

 if [host] in ["10.170.10.6", "10.170.11.6", "10.1.3.23"]  {

CamTheMan · August 30, 2018, 4:46am

That was fast!
Thanks very much - That would also explain why I getting grokparsefailures from other rules that arent matching correctly!
Thanks again

system · September 27, 2018, 4:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.