Logstash filter no longer works after upgrading

kernelpanic · May 15, 2018, 9:49am

Hello all, when I was using Logstash 5.3.0 I had the following filter which worked without issue:

if [event_id] == 257 and [computer_name] == "EXCHANGE-SERVER-1.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-2.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-3.DOMAIN.COM" {
   drop {}
  }

However since upgrading to the latest version of Logstash I've noticed that I only get events from EXCHANGE-SERVER-1.DOMAIN.COM - no events come through for the other servers regardless of the event ID.

Can any tell me why this used to work but no longer does?

Thanks.

paz · May 15, 2018, 9:55am

Could be something about how Logstash handles conditional grouping. That said, you can remove the multiple ORs by converting it to

if [event_id] == 257 and [computer_name] in ["EXCHANGE-SERVER-1.DOMAIN.COM", "EXCHANGE-SERVER-2.DOMAIN.COM", "EXCHANGE-SERVER-3.DOMAIN.COM"] {
   drop {}
}

system · June 12, 2018, 9:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop filter in Logstash filter not working for the below event Logstash	2	176	October 13, 2023
Logstash filter condition not working some times Logstash	7	443	September 1, 2022
Filter conditionals not working as expected Logstash	3	301	December 27, 2020
Logstash Filter to drop Beats events Logstash	2	256	September 19, 2019
Logstash Filter Conditional Usage Logstash	3	276	July 10, 2019

Logstash filter no longer works after upgrading

Related Topics