Logstash complex IF condition

Jan_Kabelka · November 24, 2021, 11:00am

Dear, would you know how to write complex IF condition on Logstash? I would like to add new tag once two fields have different values, except of some combinations of them. What works:

if [event][code] == "1" and [processtemptemp] and [processpetemp] and "original_file_name_missing" not in [tags] {
   if ( [processtemptemp] != "nltest.exe" and [processpetemp] != "nltestrk.exe" )  {
      if [processtemptemp] != [processpetemp] {
          mutate {
            add_tag => [ "file_rename" ]
            tag_on_failure => ["_add_tag_failure_file_rename"]
    }
  }
 }
}

What does not work:

if [event][code] == "1" and [processtemptemp] and [processpetemp] and "original_file_name_missing" not in [tags] {
   if (( [processtemptemp] != "nltest.exe" and [processpetemp] != "nltestrk.exe" ) or ( [processtemptemp] != "schtasks.exe" and [processpetemp] != "sctasks.exe" )) {
      if [processtemptemp] != [processpetemp] {
          mutate {
            add_tag => [ "file_rename" ]
            tag_on_failure => ["_add_tag_failure_file_rename"]
    }
  }
 }
}

I tried also IF/ELSE IF, but also does not work.

Any idea how to solve it? Thank you!

Jan_Kabelka · November 24, 2021, 1:10pm

Solved as below even if I do not like it:)

if "file_rename" in [tags] and [processtemptemp] == "nltest.exe" and [processpetemp] == "nltestrk.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "schtasks.exe" and [processpetemp] == "sctasks.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "microsoftedgeupdate.exe" and [processpetemp] == "msedgeupdate.dll" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

leandrojmp · November 24, 2021, 2:24pm

I think you can try something like this:

if "file_rename" in [tags] and [processtemptemp] in ["nltest.exe", "schtasks.exe", "microsoftedgeupdate.exe"] and [processpetemp] in ["nltestrk.exe","sctasks.exe","msedgeupdate.dll"] {
    mutate {
        remove_tag => [ "file_rename"]
    }
}

Jan_Kabelka · November 26, 2021, 4:17pm

Thank you, but then I would combine eg.

"processtemptemp" : "nltest.exe" AND "processpetemp" :"sctasks.exe"

... which I do not want to... I implemented approach below:

# FP reduction

if "file_rename" in [tags] and [processtemptemp] == "nltest.exe" and [processpetemp] == "nltestrk.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "schtasks.exe" and [processpetemp] == "sctasks.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

system · December 24, 2021, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.