Logstash filter with grok

Elastic Stack Elasticsearch
1

I have used grok debugger and I've identified the pattern i need for getting the filed id.orig_h

My log looks like this:

1295981543.337241	CCBr9k1C1bSaHQbUhh	192.168.3.131	55954	65.55.17.37	80	tcp	http	1.776718	1837	24470	RSTO	-	-	0	ShADdFR	13	2369	19	25234	-

This is my logstash filter.

filter {
  if [message] =~ /^#/ {
    drop {  }
     }
    else {

      if "zeek.connection"  in [tags] == {
              grok {
                match => [ 
    		    "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_pkts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_pkts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tunnel_parents>(.*?))\t(?<orig_cc>(.*?))\t(?<resp_cc>(.*?))\t(?<sensorname>(.*))",
    		    "message", "(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_pkts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_pkts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(%{NOTSPACE:tunnel_parents})"
    	    ]
                  }
              if [id.orig_h] in ["192.168.3.131", "10.0.0.1"] {
                drop {}
                }
              else if {
                mutate { add_tag => ["is working"] }

                }
            
          }

        }
}

I am using grok to check if the field id.orig_h is in this array ["192.168.3.131", "10.0.0.1"] If yes drop the entire log. If is not in the array then add a tag with is working.

What I am doing wrong?

Thank you!

2

This seems to be the error:

[2021-04-01T16:37:52,972][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:kafka, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"and\", \"or\", \"xor\", \"nand\", \"{\" at line 21, column 34 (byte 586) after filter {\n  if \"zeek.connection\" in [tags] ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:371:in `block in converge_state'"]}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.