Logstash filter not working

DanielE · November 23, 2018, 10:07am

Hi gals,

i am using the following filter:

filter {
  if [type] == "syslog" {
      if [host] == "X.X.X.X" {
         grok {
          match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{YEAR} %{DATA:host} %{DATA:syslog_program}: <%{DATA:othernumber}> <%{DATA:pid}> <%{DATA:severity_level}> <%{DATA:hostinfo} %{IP:client}> %{GREEDYDATA:syslog_message}"}
         }
      mutate {
        add_field => {
            system => "Controller"
        }
      }
      } else {
         grok {
           match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{NUMBER:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}"}
         }
      }
      mutate {
         add_field => {
            retention => "medium"
         }
         remove_tag => ["_grokparsefailure_sysloginput"]
      }
  }
}

I added if / else clause because the syslogs from this specific IP Looks different, but it does not jump into the if branch of the clause.

Any ideas?

Thank you

Eniqmatic · November 23, 2018, 10:42am

Try this instead:

if ([host] =~ /^192\.168\.0\.1/)

Obviously replace the IP address with your own.

DanielE · November 23, 2018, 2:09pm

Thank you! Worked like a charm!

system · December 21, 2018, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Syslog filter for IP Logstash	4	841	March 7, 2021
Logstash : Cant filter syslog from Pfsense firewall Logstash	3	1014	July 6, 2017
Logstash filter not wroking Logstash	7	2155	October 12, 2017
Parsing Syslog with Logstash Grock Filter isn't working with Kibana Logstash	3	379	August 14, 2021
Grok filter if [type] Logstash	5	6103	January 16, 2017

Logstash filter not working

Related topics