Logstash filter not working

DanielE · November 23, 2018, 10:07am

Hi gals,

i am using the following filter:

filter {
  if [type] == "syslog" {
      if [host] == "X.X.X.X" {
         grok {
          match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{YEAR} %{DATA:host} %{DATA:syslog_program}: <%{DATA:othernumber}> <%{DATA:pid}> <%{DATA:severity_level}> <%{DATA:hostinfo} %{IP:client}> %{GREEDYDATA:syslog_message}"}
         }
      mutate {
        add_field => {
            system => "Controller"
        }
      }
      } else {
         grok {
           match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{NUMBER:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}"}
         }
      }
      mutate {
         add_field => {
            retention => "medium"
         }
         remove_tag => ["_grokparsefailure_sysloginput"]
      }
  }
}

I added if / else clause because the syslogs from this specific IP Looks different, but it does not jump into the if branch of the clause.

Any ideas?

Thank you

Eniqmatic · November 23, 2018, 10:42am

Try this instead:

if ([host] =~ /^192\.168\.0\.1/)

Obviously replace the IP address with your own.

DanielE · November 23, 2018, 2:09pm

Thank you! Worked like a charm!

system · December 21, 2018, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.