Logstash conditonals issue

kamandohl · December 13, 2019, 11:36am

Issue: Unable to get conditionals to work
Description: I have 6 logs that are from IIS. The formats are different on 3 of the logs from IIS. The grok I am using works. But I am unable to get the conditionals to work. I have tried multiple ways for the conditionals, with path like in config or like

Examples I have tried.

if "/tmp/u_ex191115.log" or "/tmp/u_ex191118.log" in [path] {
if ("/tmp/u_ex191115.log" or "/tmp/u_ex191118.log") in [path] {
if path == "/tmp/u_ex191115.log" or "/tmp/u_ex191118.log" {
if ( path == "/tmp/u_ex191115.log" or "/tmp/u_ex191118.log" {
if ( [path] == "/tmp/u_ex191115.log" or "/tmp/u_ex191118.log" {

ingest.conf

input {
  file {
    path => [ "/tmp/*.log" ]
    start_position => "beginning"
     sincedb_path => "/dev/null"
      }
}

filter {

  if [path] == "/tmp/u_ex191115.log" or "/tmp/u_ex191118.log" {
    grok {
      match => {
        "message" => "%{TIMESTAMP_ISO8601:time} %{IP:source.ip} %{URIPROTO:Method} % 
{URIPATH:URI} %{NOTSPACE:Query} %{NUMBER:source.port} %{NOTSPACE:Username} % 
{IP:destination.ip} %{NOTSPACE:User-Agent} %{NOTSPA
CE:Referer} %{NUMBER:sc-status} %{NUMBER:sc_substatus} %{NUMBER:sc-win32-status} % 
{NUMBER:time-taken}"}
        }
      }
      
  if [path] == "/tmp/u_ex191116_x.log" or "/tmp/u_ex191115_x.log" or "/tmp/u_ex191118_x.log" or 
    "/tmp/u_ex191119_x.log" {

    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:time} %{NOTSPACE:Site-Name} %{IP:source.ip} %{URIPROTO:Method} %{URIPATH:URI} %{NOTSPACE:Query} % {NUMBER:source.port} % {NOTSPACE:Username} %{IP:destination.ip} %{NOTSPACE:User-Agent} %{NOTSPACE:Referer} %{NUMBER:sc-status} %{NUMBER:sc_substatus} %{NUMBER:sc-win32-status} %{NUMBER:source_bytes} %{NUMBER:client_bytes} %{NOTSPACE:time_taken}"}
    }
  }
}

output {
  file {
    path => "/tmp/ingester.log" }
  }

Log Examples, 1 each from the 2 types I have.

2019-11-15 02:31:40 192.168.0.0 GET / - 443 - 192.168.0.0 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 400 0 0 78

2019-11-15 01:28:03 HOSTNAME 192.168.0.0 GET /apple-touch-icon-120x120-precomposed.png - 443 - 192.168.0.0 MobileSafari/604.1+CFNetwork/978.0.7+Darwin/18.7.0 - 200 0 0 1765 240 850

I have searched this forum, used the logstash docs and the Google's. Any help or direction is greatly appreciated.

ITIC · December 13, 2019, 11:51am

Hi

I believe your ifs shoud be

if [path] == "/tmp/u_ex191115.log" or [path] == "/tmp/u_ex191118.log" {

Hope this helps

kamandohl · December 13, 2019, 12:34pm

Thanks. That did the trick.

system · January 10, 2020, 12:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.