I'm having an issue that I'm finally giving up on and I need to ask for some help.
Here is what I'm doing:
...
geoip {
source => "[system][auth][ssh][ip]"
target => "[system][auth][ssh][geoip]"
}
memcached {
hosts => ["ip.add.re.ss:11211"]
get => {
"%{[system][auth][ssh][ip]}" => "[company][ip_reputation][source]"
}
add_tag => [ "ip_reputation_hit" ]
}
...
The idea is that I'm looking up ip's in a memcached "db" to see if they match reputation lists right before indexing, but that's not the issue: The issue is that it's sending a literal %{[system][auth][ssh][ip]} to the memcached server, confirmed with a tcpdump. I included the geoip block to show that I do have [system][auth][ssh][ip] configured.
The most confusing part is that I'm not able to recreate the issue in testing. I created the following test config:
input {
stdin {
codec => json
}
}
filter {
mutate {
copy => ["ip", "[system][auth][ssh][ip]"]
}
memcached {
hosts => ["ip.ad.dre.ss:11211"]
get => {
"%{[system][auth][ssh][ip]}" => "[company][ip_reputation][source]"
}
add_tag => "ip_reputation_hit"
}
}
output {
stdout {
codec => rubydebug
}
}
and if I test it with the input { "ip" : "1.1.1.1" }, it works as I would expect it to using the same version of logstash (6.5.4) I'm using in production.
I hope this is something simple that I'm just overlooking. Thanks for looking!