IF Statement being ignored

CamTheMan · August 30, 2018, 4:27am

Hello,

I have a (simplified) filter rule like:

filter {
    if "10.170.10.6" or "10.170.11.6" or "10.1.3.23" in [host] {
        grok {
            match => { "message" => [
                '^Accepted keyboard-interactive/pam for %{USERNAME:username} from %{IP:src_ip} port %{POSINT:src_port}' ] }
        }
        
        mutate {
            add_tag => [ "hardware" ]
        }
    
}
}

But for some reason logstash tags all events with the tag "hardware" EVEN if they are not listed as a host in "10.170.10.6" or "10.170.11.6" or "10.1.3.23".

Why is this happening? It's like the 'IF' statement is not being honored.

Any ideas on how to tag the messages only for the required hosts?

Thanks
Cam

magnusbaeck · August 30, 2018, 4:33am

if "10.170.10.6" or "10.170.11.6" or "10.1.3.23" in [host] {

Natural language doesn't always translate into if expressions. This expression probably means "if 10.170.10.6 is a non-empty string (which is always is) or 10.170.11.6 is a non-empty string (which is always is) or 10.1.3.23 is a substring of the contents of the host field". This is what you're looking for:

 if [host] in ["10.170.10.6", "10.170.11.6", "10.1.3.23"]  {

CamTheMan · August 30, 2018, 4:46am

That was fast!
Thanks very much - That would also explain why I getting grokparsefailures from other rules that arent matching correctly!
Thanks again

system · September 27, 2018, 4:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter if [type] Logstash	5	6103	January 16, 2017
Logstash if statement not working probably Logstash	2	2335	December 25, 2015
Conditional in the output is ignored Logstash	6	441	February 15, 2022
Logstash filter not working Logstash	3	303	December 21, 2018
Why i cant use if statement in grock block? Logstash	6	348	May 18, 2018

IF Statement being ignored

Related topics