Logstash complex IF condition

Jan_Kabelka · November 24, 2021, 11:00am

Dear, would you know how to write complex IF condition on Logstash? I would like to add new tag once two fields have different values, except of some combinations of them. What works:

if [event][code] == "1" and [processtemptemp] and [processpetemp] and "original_file_name_missing" not in [tags] {
   if ( [processtemptemp] != "nltest.exe" and [processpetemp] != "nltestrk.exe" )  {
      if [processtemptemp] != [processpetemp] {
          mutate {
            add_tag => [ "file_rename" ]
            tag_on_failure => ["_add_tag_failure_file_rename"]
    }
  }
 }
}

What does not work:

if [event][code] == "1" and [processtemptemp] and [processpetemp] and "original_file_name_missing" not in [tags] {
   if (( [processtemptemp] != "nltest.exe" and [processpetemp] != "nltestrk.exe" ) or ( [processtemptemp] != "schtasks.exe" and [processpetemp] != "sctasks.exe" )) {
      if [processtemptemp] != [processpetemp] {
          mutate {
            add_tag => [ "file_rename" ]
            tag_on_failure => ["_add_tag_failure_file_rename"]
    }
  }
 }
}

I tried also IF/ELSE IF, but also does not work.

Any idea how to solve it? Thank you!

Jan_Kabelka · November 24, 2021, 1:10pm

Solved as below even if I do not like it:)

if "file_rename" in [tags] and [processtemptemp] == "nltest.exe" and [processpetemp] == "nltestrk.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "schtasks.exe" and [processpetemp] == "sctasks.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "microsoftedgeupdate.exe" and [processpetemp] == "msedgeupdate.dll" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

leandrojmp · November 24, 2021, 2:24pm

I think you can try something like this:

if "file_rename" in [tags] and [processtemptemp] in ["nltest.exe", "schtasks.exe", "microsoftedgeupdate.exe"] and [processpetemp] in ["nltestrk.exe","sctasks.exe","msedgeupdate.dll"] {
    mutate {
        remove_tag => [ "file_rename"]
    }
}

Jan_Kabelka · November 26, 2021, 4:17pm

Thank you, but then I would combine eg.

"processtemptemp" : "nltest.exe" AND "processpetemp" :"sctasks.exe"

... which I do not want to... I implemented approach below:

# FP reduction

if "file_rename" in [tags] and [processtemptemp] == "nltest.exe" and [processpetemp] == "nltestrk.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

if "file_rename" in [tags] and [processtemptemp] == "schtasks.exe" and [processpetemp] == "sctasks.exe" {

  mutate {

    remove_tag => [ "file_rename" ]

 }

}

system · December 24, 2021, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If/Else comparison to add tag Logstash	6	1553	October 13, 2020
Issues with Logstash Conditionals inside filter Logstash	7	374	May 10, 2019
How to add multiple conditions in single if statement if ((A==1) && (B==( 2 \|\| 3)) Logstash docker	4	713	January 14, 2020
If condition statement in Logstash Logstash	1	746	February 26, 2018
If statement within logstash Logstash	4	764	June 29, 2020

Logstash complex IF condition

Related topics