Logstash Filter with wrong result for deal with lots event at the same time

stanwang · May 5, 2020, 9:36am

Hi,

I use Winlogbeat to transmit Windows Event Log. My Logstash Filter use for parsing the "message" in the Json.
The message content will like this, "RuleName: technique_id=T1047,technique_name=Windows Management Instrumentation." And, my purpose is splitting the message into three part, "RuleName, Technique_id and Technique_name." Here is my code. I write the filter in Ruby.

filter {
  ruby {
    code => '
      # Initialize
      rulename_input = " "
      technique_id = " "
      technique_name = " "

      array = event.get("[message]").split("\n")
      Message = array[1]
      RuleName = Message.split(": ")

      if RuleName[1] == " " or RuleName[1] == nil
        rulename_input = " "
        technique_id = " "
        technique_name = " "
      else 
        rulename_input = RuleName[1]
        tech = RuleName[1].split(",")

        tec = tech[0].split("=")
        technique_id = tec[1]

        tec = tech[1].split("=")
        technique_name = tec[1]
      end

      event.set("RuleName",rulename_input)
      event.set("Technique_id",technique_id)
      event.set("Technique_name",technique_name)
    '
  }
}

The filter result is usually correct in most situation. Below is correct picture by Kibana.

But, if there are lots of event log send from Winlogbeat at the same time, it will be wrong. The wrong result as below:

How do I fix it?

Badger · May 5, 2020, 3:48pm

In ruby, any "variable" that starts with a capital letter is a constant. I am not going to explain the scope of constants in ruby, but suffice to say that if you configure

input { generator { count => 1 lines => [ 'first', 'second' ] } }
filter {
    ruby {
        code => '
            if event.get("message") =="first"
                Constant = "Foo"
            end
            event.set("someField", Constant)
        '
    }
}
output { stdout { codec => rubydebug { metadata => false } } }

then you get

{
   "message" => "first",
  "@version" => "1",
"@timestamp" => 2020-05-05T15:44:14.523Z,
  "sequence" => 0,
 "someField" => "Foo"
}
{
   "message" => "second",
  "@version" => "1",
"@timestamp" => 2020-05-05T15:44:14.536Z,
  "sequence" => 0,
 "someField" => "Foo"
}

whereas if you configure

input { generator { count => 1 lines => [ 'first', 'second' ] } }
filter {
    ruby {
        code => '
            if event.get("message") =="first"
                constant = "Foo"
            end
            event.set("someField", constant)
        '
    }
}
output { stdout { codec => rubydebug { metadata => false } } }

then you get

{
   "message" => "first",
  "@version" => "1",
"@timestamp" => 2020-05-05T15:43:59.981Z,
  "sequence" => 0,
 "someField" => "Foo"
}
{
   "message" => "second",
  "@version" => "1",
"@timestamp" => 2020-05-05T15:44:00.114Z,
  "sequence" => 0,
 "someField" => nil
}

so rename "Message" and "RuleName" as "message" and "ruleName".

stanwang · May 7, 2020, 2:42am

Thank you for your help , and now it works correctly! Thank you so much!

system · June 4, 2020, 2:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use ruby filter Logstash	2	912	July 6, 2017
Problems with Drop Filter in Logstash Logstash	2	345	July 18, 2019
Ruby Filter output to Field Logstash	3	1949	July 6, 2017
Logstash filtering on eventId in ruby Logstash	3	633	July 9, 2019
Logstash filter for records of nested json messages from eventhub Logstash	3	296	October 20, 2022

Logstash Filter with wrong result for deal with lots event at the same time

Related Topics