Logs that do not match the Filter with IF statement

Hans · March 13, 2016, 8:44am

I have different filters for different fields in the messages and separate them with if statements. Now I have been trying to add one final section where none of the logs match and try to filter these through generic fields. I have tried with the else statement however this adds the No_Filter to all logs. Could someone maybe assist on how to add a final filter for all logs that do not match the initial one? Here is a shortened example:

`filter {
if "10.10.10.12" in [message] {
mutate {
add_tag => "JUNIPER"
}
}
if [message] =~ "RT_FLOW_SESSION_CLOSE" {
mutate {
add_tag => "FLOWCLOSE"
}
}
if [message] =~ "RT_FLOW_SESSION_DENY" {
mutate {
add_tag => "FLOWDENY"
}
}
if [message] =~ "FLOW_REASSEMBLE_FAIL" {
mutate {
add_tag => "FLOWFAIL"
}
}
if [message] =~ "RT_SCREEN*" {
mutate {
add_tag => "RT_SCREEN"
}
}
if [message] =~ "sshd" {
mutate {
add_tag => "sshd"
}
}
else {
mutate {
add_tag => "No_Filter"
}
}'

warkolm · March 14, 2016, 3:57am

That appears right, is it not working, what are you seeing?

magnusbaeck · March 14, 2016, 6:36am

The else block only applies to the list if block, i.e. any event not matching that conditional is going to get the No_Filter tag. You need to follow this pattern:

if ... {
  ...
} else if ... {
  ...
} else {
  ...
}

Hans · March 14, 2016, 5:10pm

Thank you for the response. When adding a tag with the if statements once the else is hit all logs are tagged with the No_Filter. Maybe I am doing it wrong, here is what I did:
`filter {
if "10.10.10.12" in [message] {
mutate {
add_tag => "JUNIPER"
}
}
if [message] =~ "RT_FLOW_SESSION_CLOSE" {
mutate {
add_tag => "FLOWCLOSE"
}
}
if [message] =~ "RT_FLOW_SESSION_DENY" {
mutate {
add_tag => "FLOWDENY"
}
}
if [message] =~ "FLOW_REASSEMBLE_FAIL" {
mutate {
add_tag => "FLOWFAIL"
}
}
if [message] =~ "RT_SCREEN*" {
mutate {
add_tag => "RT_SCREEN"
}
}
else if [message] =~ "sshd" {
mutate {
add_tag => "sshd"
}
}
else {
mutate {
add_tag => "No_Filter"
}
}'

magnusbaeck · March 14, 2016, 6:29pm

You need to insert "else" before "if" in all places except the first "if". As it stands, all events except RT_SCREEN and sshd ones are going to get the No_Filter tag.

Hans · March 14, 2016, 6:44pm

Thank you, that works, much appreciated

system · July 6, 2017, 5:07am