Logstash filter no longer works after upgrading

kernelpanic · May 15, 2018, 9:49am

Hello all, when I was using Logstash 5.3.0 I had the following filter which worked without issue:

if [event_id] == 257 and [computer_name] == "EXCHANGE-SERVER-1.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-2.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-3.DOMAIN.COM" {
   drop {}
  }

However since upgrading to the latest version of Logstash I've noticed that I only get events from EXCHANGE-SERVER-1.DOMAIN.COM - no events come through for the other servers regardless of the event ID.

Can any tell me why this used to work but no longer does?

Thanks.

paz · May 15, 2018, 9:55am

Could be something about how Logstash handles conditional grouping. That said, you can remove the multiple ORs by converting it to

if [event_id] == 257 and [computer_name] in ["EXCHANGE-SERVER-1.DOMAIN.COM", "EXCHANGE-SERVER-2.DOMAIN.COM", "EXCHANGE-SERVER-3.DOMAIN.COM"] {
   drop {}
}

system · June 12, 2018, 9:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.