Logstash Filter output in different files according to incomming IP address

Flo_h · November 18, 2022, 1:11pm

Hello, I am using the last version of Logstash 8.5.1. And I am trying to output log in files according to the source IP in the logstash input.

I DO know the incomming IPs. I am trying to filter them out in the filter part of the logstash pipeline configuration file.

This is what i've been trying and it always goes to my else condition no matter what I change.

input {
  beats {
    port => 5555
    ssl => true
    ssl_certificate => "/etc/logstash/certs/logstashcert.pem"
    ssl_key => "/etc/logstash/certs/logstashkey.pem"
    ssl_verify_mode => none
  }
}

filter {

  if "192.168.1.155" in [ip] or "192.168.1.170" in [ip] { mutate { add_field => { "logtarget" => "test" } }
  }
  if "192.168.1.160" in [ip] or "192.168.1.175" in [ip] { mutate { add_field => { "logtarget" => "prod" } }
  }
  else {
   mutate { add_field => { "logtarget" => "generic" } }
  }

}

output {

  if "test" in [logtarget] {
   file {
    path => "/opt/logstash/log/windows/test-%{+YYYY-MM-dd}.log"
   }
  }

  if "prod" in [logtarget] {
   file {
    path => "/opt/logstash/log/windows/prod-%{+YYYY-MM-dd}.log"
   }
  }

  else {
   file {
    path => "/opt/logstash/log/windows/else.log"
   }
  }

}

My if statement in filter is clearly not working because very log goes thourgh the else statement and are "tagged" as generic therefore my output conditions fails and always goes in the else statement which is not what I want.

The log I am trying to parse are windows logs and this is the field in the incomming data log :

"ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"]

Does anyone has a answer for this ? Or maybe a better solution to this problematic ?

This is the ressouce i've been using so far with no luck:

leandrojmp · November 18, 2022, 1:16pm

Please share an example of a document that you have in the /opt/logstash/log/windows/else.log file so people can look at it and try to understand or replicate the issue.

Flo_h · November 18, 2022, 1:36pm

Sure, as you can see the ip field is clearly one of my condition; yet the field logtarget is filled as generic.

tail /opt/logstash/log/windows/else.log :

{"logtarget":"generic","@timestamp":"2022-11-18T14:18:36.512Z","message":"Privilèges spéciaux attribués à la nouvelle ouverture de session.\n\nSujet :\n\tID de sécurité :\t\tS-1-5-18\n\tNom du compte :\t\tSystème\n\tDomaine du compte :\t\tAUTORITE NT\n\tID d’ouverture de session :\t\t0x3E7\n\nPrivilèges :\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege","tags":["beats_input_codec_plain_applied"],"event":{"code":"4672","created":"2022-11-18T14:18:38.359Z","outcome":"success","original":"Privilèges spéciaux attribués à la nouvelle ouverture de session.\n\nSujet :\n\tID de sécurité :\t\tS-1-5-18\n\tNom du compte :\t\tSystème\n\tDomaine du compte :\t\tAUTORITE NT\n\tID d’ouverture de session :\t\t0x3E7\n\nPrivilèges :\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege","kind":"event","provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon"},"host":{"name":"DESKTOP-1HJ6FAO","ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"],"mac":["00-50-56-BB-85-49"],"id":"f342c121-127b-49b5-a2ae-6d30703a6d71","architecture":"x86_64","os":{"kernel":"10.0.19041.1706 (WinBuild.160101.0800)","platform":"windows","family":"windows","name":"Windows 10 Pro N","type":"windows","build":"19042.1706","version":"10.0"},"hostname":"DESKTOP-1HJ6FAO"},"ecs":{"version":"8.0.0"},"agent":{"version":"8.5.1","ephemeral_id":"4e0d84b9-de47-4213-97ea-83a5910f464d","id":"c7f4678f-8f35-44f8-82c0-340acfac37de","name":"DESKTOP-1HJ6FAO","type":"winlogbeat"},"@version":"1","winlog":{"event_data":{"SubjectDomainName":"AUTORITE NT","SubjectLogonId":"0x3e7","SubjectUserSid":"S-1-5-18","SubjectUserName":"Système","PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"},"activity_id":"{2430351b-fb2b-0000-9135-30242bfbd801}","task":"Special Logon","computer_name":"DESKTOP-1HJ6FAO","event_id":"4672","provider_name":"Microsoft-Windows-Security-Auditing","keywords":["Succès de l’audit"],"record_id":11954,"process":{"pid":712,"thread":{"id":2180}},"provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","opcode":"Informations","api":"wineventlog","channel":"Security"},"log":{"level":"information"}}
{"logtarget":"generic","@timestamp":"2022-11-18T14:18:42.038Z","message":"La migration de bas niveau hors connexion a réussi.","tags":["beats_input_codec_plain_applied"],"event":{"code":"16394","created":"2022-11-18T14:18:42.763Z","original":"La migration de bas niveau hors connexion a réussi.","kind":"event","provider":"Microsoft-Windows-Security-SPP","action":"None"},"ecs":{"version":"8.0.0"},"host":{"name":"DESKTOP-1HJ6FAO","ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"],"mac":["00-50-56-BB-85-49"],"id":"f342c121-127b-49b5-a2ae-6d30703a6d71","os":{"kernel":"10.0.19041.1706 (WinBuild.160101.0800)","platform":"windows","family":"windows","name":"Windows 10 Pro N","type":"windows","build":"19042.1706","version":"10.0"},"hostname":"DESKTOP-1HJ6FAO","architecture":"x86_64"},"agent":{"id":"c7f4678f-8f35-44f8-82c0-340acfac37de","name":"DESKTOP-1HJ6FAO","type":"winlogbeat","version":"8.5.1","ephemeral_id":"4e0d84b9-de47-4213-97ea-83a5910f464d"},"@version":"1","winlog":{"keywords":["Classique"],"record_id":2096,"opcode":"Info","provider_guid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","api":"wineventlog","channel":"Application","task":"None","computer_name":"DESKTOP-1HJ6FAO","event_id":"16394","provider_name":"Microsoft-Windows-Security-SPP"},"log":{"level":"information"}}

Did I do something wrong ?
Thanks

Badger · November 18, 2022, 6:10pm

Flo_h:

if "192.168.1.155" in [ip] or "192.168.1.170" in [ip] { mutate { add_field => { "logtarget" => "test" } }
  }
  if "192.168.1.160" in [ip] or "192.168.1.175" in [ip] { mutate { add_field => { "logtarget" => "prod" } }
  }
  else {

If [ip] is "192.168.1.155" then the first if will evaluate to true and [logtarget] will get set to "test". The second if will evaluate to false and [logtarget] will get overwritten with "generic". Change the second if to elsif.

Flo_h · November 21, 2022, 1:10pm

Hello,
Yes it was it.
Thanks a lot !

system · December 19, 2022, 1:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.