Hi All,
I was trying to execute the Data enrichment logstash -IP addresses exist in an external DNSBL (DNS Blocklist)?
filter {
grok {
match => { "message" => "%{WORD:addr1}.%{WORD:addr2}.%{WORD:addr3}.%{WORD:addr4}" } <= extract different part of the IP address
}
mutate {
add_field => {
"spamhaus_reverse_lookup" => "%{addr4}.%{addr3}.%{addr2}.%{addr1}.zen.spamhaus.org" . <= reformat the address for spamhaus query
}
}
dns {
resolve => [ "spamhaus_reverse_lookup" ] <= perform lookup using the reverse address format.
nameserver => [ "x.x.x.x" ]
add_tag => [ "dns_successful_lookup" ]
action => replace
}
if "dns_successful_lookup" in [tags] {
if [spamhaus_reverse_lookup] == "127.0.0.2" { <= 127.0.0.2 is a special return address from spamhaus that indicate the lookup address is listed in spamhaus spam database
mutate {
add_tag => [ "spam_address" ]
}
}
}
}
I get a message stating
[FATAL] 2018-02-22 12:41:53.785 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, and, or, xor, nand, { at line 19, column 8 (byte 533) after filter {
But if I comment out the last section the filter it works fine ,am not sure whats the problem with that.
filter {
if [type] == "spam" {
grok {
match => { "message" => "%{WORD:addr1}.%{WORD:addr2}.%{WORD:addr3}.%{WORD:addr4}" }
}
mutate {
add_field => {
"spamhaus_reverse_lookup" => "%{addr4}.%{addr3}.%{addr2}.%{addr1}.zen.spamhaus.org"
}
}
dns {
resolve => [ "spamhaus_reverse_lookup" ]
nameserver => [ "x.x.x.x" ]
add_tag => [ "dns_successful_lookup" ]
action => replace
}
# if "dns_successful_lookup" in [tags] {
# if [spamhaus_reverse_lookup] == "127.0.0.2"
# mutate {
# add_tag => [ "spam_address" ]
# }
# }
}
}
Please do let me know what could be the problem in the logstash filter.
Thanks,
Raj