IF/THEN in output config not working properly

pvols1979 · January 29, 2018, 2:19am

I have created an output config for Logstash and attempted to specify which index for a few different feeds to go by using if then else statements in the config file. Reagardless of what I try, Data I do not want in the first filter ends up in that index and the one I specified for it. Data that is supposed to be cause by the first IF statement is nowhere to be found.

I am trying to isolate each data source in its own index without much luck. See the config below:

output
{

if [type] == "tomato"
{
elasticsearch
{
hosts => "192.168.1.5:9200"
index => "tomato-%{+YYYY.MM.dd}"
}
}

else if "192.168.1.254" in [host]
{
elasticsearch
{
hosts => "192.168.1.5:9200"
index => "pfsense-%{+YYYY.MM.dd}"
}
}

else
{
elasticsearch
{
hosts => "192.168.1.5:9200"
index => "logstash-%{+YYYY.MM.dd}"
}
}

stdout
{
codec => rubydebug
}

}

magnusbaeck · January 29, 2018, 5:19am

Please give an example of an event that ended up in the wrong place. Copy the raw JSON event from Kibana's JSON tab.

pvols1979 · January 29, 2018, 7:29pm

See below. The expected outcome was for this to end up in the pfsense -"date" index...which it did. However, it is also in the tomato index.

{
"_index": "tomato-2018.01.29",
"_type": "doc",
"_id": "s9LCP2EBkOR6wJ8oDxnP",
"_version": 1,
"_score": null,
"_source": {
"dest_ip": "144.76.59.84",
"action": "pass",
"proto": "udp",
"tags": [
"PFSense",
"firewall",
"GeoIP"
],
"@version": "1",
"src_port": "19318",
"dest_port": "25903",
"src_ip": "76.73.142.47",
"geoip": {
"timezone": "America/Chicago",
"country_name": "United States",
"region_code": "AL",
"longitude": -86.5863,
"location": {
"lon": -86.5863,
"lat": 32.5141
},
"city_name": "Prattville",
"postal_code": "36067",
"dma_code": 698,
"country_code2": "US",
"ip": "76.73.142.47",
"continent_code": "NA",
"country_code3": "US",
"region_name": "Alabama",
"latitude": 32.5141
},
"reason": "match",
"ip_ver": "4",
"tracker": "1000003811",
"offset": "0",
"direction": "out",
"rule": "40",
"flags": "DF",
"message": "40,,,1000003811,em0,match,pass,out,4,0x0,,3,18442,0,DF,17,udp,28,76.73.142.47,144.76.59.84,19318,25903,8",
"evtid": "134",
"length": "28",
"ttl": "3",
"prog": "filterlog",
"iface": "em0",
"id": "18442",
"@timestamp": "2018-01-29T02:32:18.000Z",
"data_length": "8",
"host": "192.168.1.254",
"type": "syslog",
"tos": "0x0",
"proto_id": "17"
},
"fields": {
"@timestamp": [
"2018-01-29T02:32:18.000Z"
]
},
"sort": [
1517193138000
]
}

magnusbaeck · January 29, 2018, 8:56pm

Do you have additional configuration files in /etc/logstash/conf.d (or wherever you keep them)? Do any of those files contain an elasticsearch output pointing to the tomato index?

system · February 26, 2018, 8:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.