Logstash aggregate problem

fabryx87 · April 30, 2021, 10:05am

Hi all,

I am trying to do an aggregate in logstash, but probably i am not understanding how it works....
I want to copy the field contenent of elevated_token inside the map, and create a new field with this value on the end task.
I will need to apply this method to other fields as well.

can you please help me?

if "system_session" not in [tags] {
    aggregate {
      task_id => "%{winlog.event_data.TargetLogonId}"
      code => "map['elevated_token'] += event.get([winlog][event_data][ElevatedToken])"
      map_action => "create"
    }
}
if [winlog][event_id] == 4634{
    aggregate {
          task_id => "%{winlog.event_data.TargetLogonId}"
          code => "event.set('elevated_token', map['elevated_token'])"
          map_action => "update"
          end_of_task => true
          push_map_as_event_on_timeout => true
          timeout_tags => ['_aggregatetimeout']
          timeout => 28800
    }
}

Badger · April 30, 2021, 3:34pm

It seems likely that you mean %{[winlog][event_data][TargetLoginId]}

fabryx87 · May 4, 2021, 8:03am

Hi Badger,

thanks for your reply.
unfortunatelly it didn't help, do you have any other suggest?
is there a way to add some tag to check if a step is done or not?

thanks

if "system_session" not in [tags] {
                    mutate {
                     add_field => { "legit" => "yes" }
                    }
                    aggregate {
                         task_id => "%{[winlog][event_data][TargetLoginId]}"
                         code => "map['elevated_token'] += event.get([winlog][event_data][ElevatedToken])"
                         map_action => "create"
                         }
                    }
                }
        }
           if [winlog][event_id] == 4634 or [event][code] == 4647{
           aggregate {
                 task_id => "%{[winlog][event_data][TargetLoginId]}"
                 code => "event.set('elevated_token', map['elevated_token'])"
                 map_action => "update"
                 end_of_task => true
                 push_map_as_event_on_timeout => true
                 timeout_tags => ['_aggregatetimeout']
                 timeout => 28800
            }

Badger · May 4, 2021, 4:25pm

add_tag is one of the common options that pretty much every filter supports. That said, adding the tag ("decorating the event") is only done if the filter matches the event. So, for example, in a date or grok filter, if the source field does not exist then nothing is done and the event is not decorated. An aggregate filter will decorate the event unless an error occurs.

fabryx87 · May 5, 2021, 7:44am

ok, how can I troubleshoot in this case to understand what is going on and why this aggregate doesn't work?
because it add the field

mutate {
add_field => { "legit" => "yes" }
 }

but I don't have any trace of the aggregate.

fabryx87 · May 12, 2021, 9:35am

Any help on this?
thanks

system · June 9, 2021, 9:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.