Logstash filter condition not working some times

perezdev · July 27, 2022, 8:03am

Hello,

I have following logstash configuration file for winlogbeat events:

input {
  #Winlgobeat
  beats {
    port => 5044
  }
}
filter {
  #Filter winlogbeat events
     mutate {
        rename => {
                "[event][code]" => "event_id"
                "[winlog][event_data][TargetUserName]" => "destination_user_name"
                "[winlog][event_data][MemberName]" => "tls_client_issuer"
        }
    }
    if [source_ip] == "-" {
        mutate {
                replace => [ "source_ip", "0.0.0.0" ]
        }
    }
    mutate {
        copy => { "[message]" => "event_original" }
    }
	if [event_id] == "4755" or [event_id] == "4731" or [event_id] == "4763" or [event_id] == "4730" or [event_id] == "4758" or [event_id] == "4754" or [event_id] == "4759" or [event_id] == "4760" or [event_id] == "4757" or [event_id] == "4735" or [event_id] == "4729" or [event_id] == "4732" or [event_id] == "4756" or [event_id] == "4737" or [event_id] == "4727" or [event_id] == "4728" or [event_id] == "4762" or [event_id] == "4761" {
        mutate {
            rename => {
                        "destination_user_name" => "group_name"
                        "tls_client_issuer" => "destination_user_name"
                }
        }
    }
}

What I want to achieve is that when event_id match any of the OR condition defined, to rename the mentioned field names.

This configuration seems to work fine, but after a few hours it stopped working as some of the events were not renamed according to the condition defined. After a few minutes, it start working again, when no changes/restart of service are applied.

Could you help me with this issue?

Thank you.

zoug · July 27, 2022, 12:11pm

Not sure if this is your problem, but I've had issues when the if statement contains more than one condition if parentheses are missing. So maybe try if ([event_id] == "4755"...) {.

perezdev · July 27, 2022, 1:35pm

It seems that's not the reason of my issue. I tested adding parentheses, but as mentioned before this field renaming works intermittently. Thanks for the help.

grumo35 · July 27, 2022, 2:39pm

Your condition looks fine my guess would be elswhere is there any parsing involvd earlier or after this statement ?

And how do you ship logs ? Can you describe the log flow and the solutions that are involved in shipping / parsing ?

perezdev · July 27, 2022, 3:32pm

I updated my first comment adding the complete filter section on my logstash conf file.

Conditionals and mutate actions before the conditional related to the issue are working fine.

Events are shipped from a Windows server where I have default winlogbeat running. I'm using logstash to parse/transform some fields/values related.

Collection is working fine so far, apart from this conditional that doesn't rename the expected fields sometimes.

Thanks for the help.

Rios · July 27, 2022, 3:47pm

Can you check how is the "event_id" field arrived, numeric or string?
Your conf is OK if is string. If is a numeric, it will be:
if [event_id] == 4755 or [event_id] == 4731

If you think that the process has been stopped, details will be in logstash.log
Sometime recorders are not sent every second. Win logs are asynchronous events.

grumo35 · August 4, 2022, 6:31am

Hi,
I'm testing your configuration next week, for the sake of it do you have any documents (elastic entry) you can show us with the failed and correct parsing ?

system · September 1, 2022, 6:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.