Logstash filter no longer works after upgrading

kernelpanic · May 15, 2018, 9:49am

Hello all, when I was using Logstash 5.3.0 I had the following filter which worked without issue:

if [event_id] == 257 and [computer_name] == "EXCHANGE-SERVER-1.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-2.DOMAIN.COM" or [computer_name] == "EXCHANGE-SERVER-3.DOMAIN.COM" {
   drop {}
  }

However since upgrading to the latest version of Logstash I've noticed that I only get events from EXCHANGE-SERVER-1.DOMAIN.COM - no events come through for the other servers regardless of the event ID.

Can any tell me why this used to work but no longer does?

Thanks.

paz · May 15, 2018, 9:55am

Could be something about how Logstash handles conditional grouping. That said, you can remove the multiple ORs by converting it to

if [event_id] == 257 and [computer_name] in ["EXCHANGE-SERVER-1.DOMAIN.COM", "EXCHANGE-SERVER-2.DOMAIN.COM", "EXCHANGE-SERVER-3.DOMAIN.COM"] {
   drop {}
}

system · June 12, 2018, 9:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter not working. Probably my fault :D Logstash	5	975	November 28, 2017
Drop filter in Logstash filter not working for the below event Logstash	2	176	October 13, 2023
Logstash filter not working Logstash	3	303	December 21, 2018
Logstash filter condition not working some times Logstash	7	445	September 1, 2022
Dropping multiple windows events in logstash Logstash	6	522	December 6, 2018

Logstash filter no longer works after upgrading

Related topics