Logstash if conditions connected with and

Elastic Stack Logstash
1

Hello,

I am trying to add a field with logstash.

For example, I have following line in the filter section of my config file from logstash:

if [dest_ip] == "194.175.245.9" and [alert][signature_id] == "2009702" {
     mutate{add_field => {"alert_confirm" => false}}
}

This should add the Field alert_confirm with the boolean false if the dest_ip and the signature_id match.
However, it won’t work. I tried to change [alert][signature_id] to [alert.signature_id] but this didn't work either.

Strange enough I have another If condition beneath this one:

if [dest_ip] == "195.125.109.3" and [alert][signature_id] in ["2002157","2009475"] {
     mutate{add_field => {"alert_confirm" => false}}
}

And this one is working as intended.

What do I miss? Can someone help me with that?

2

There doesn't seem to be anything wrong with the code you posted. So I guess there is either something in the rest of the configuration that keeps this from working (e.g. another condition around it that doesn't match) or the data structure for the event that should be affected by this condition is different from what you think. Could you please post your full configuration and an example event?

3

Ok, here is the entire configuration file:

input {

    file {

        path => ["/var/log/suricata/eve.json"]

        sincedb_path => ["/var/lib/logstash/since.db"]

        codec => json

    }

}

filter{

    if [event_type] == "alert" {


        if [dest_ip] == "194.175.245.9" and [alert][signature_id] == "2009702" {

            mutate{add_field => {"alert_confirm" => false}}

        }


        if [dest_ip] == "195.125.109.3" and [alert][signature_id] in ["2002157","2009475"] {

            mutate{add_field => {"alert_confirm" => false}}

        }

    }

}

output {

    elasticsearch {

        hosts => ["http://localhost:9200"]

        index => "suricata"

        user => "user"

        password => "password"

    }

}

And here on event which get processed:

{
  "_index": "suricata",
  "_type": "_doc",
  "_id": "rTpQn3MBirb_Rfr8QbBc",
  "_version": 1,
  "_score": null,
  "_source": {
    "tx_id": 0,
    "flow_id": 1724732766907214,
    "@timestamp": "2020-07-30T10:41:43.665Z",
    "vlan": [
      1
    ],
    "src_ip": "10.121.12.55",
    "src_port": 58753,
    "app_proto": "http",
    "flow": {
      "pkts_toserver": 4,
      "bytes_toserver": 604,
      "bytes_toclient": 219,
      "pkts_toclient": 3,
      "start": "2020-07-30T12:41:43.486222+0200"
    },
    "path": "/var/log/suricata/eve.json",
    "timestamp": "2020-07-30T12:41:43.578856+0200",
    "host": "ebjen-ids.vistec-eb.com",
    "proto": "TCP",
    "alert": {
      "gid": 1,
      "metadata": {
        "created_at": [
          "2010_07_30"
        ],
        "updated_at": [
          "2020_06_02"
        ]
      },
      "signature_id": 2009475,
      "severity": 1,
      "action": "allowed",
      "rev": 12,
      "signature": "ET POLICY TeamViewer Dyngate User-Agent",
      "category": "Potential Corporate Privacy Violation"
    },
    "@version": "1",
    "event_type": "alert",
    "dest_ip": "194.175.245.4",
    "in_iface": "enp5s0f1",
    "dest_port": 8080,
    "http": {
      "http_user_agent": "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)",
      "status": 200,
      "protocol": "HTTP/1.1",
      "hostname": "client.teamviewer.com",
      "length": 0,
      "http_method": "CONNECT",
      "url": "client.teamviewer.com:443",
      "http_port": 443
    }
  },
  "fields": {
    "flow.start": [
      "2020-07-30T10:41:43.486Z"
    ],
    "@timestamp": [
      "2020-07-30T10:41:43.665Z"
    ],
    "timestamp": [
      "2020-07-30T10:41:43.578Z"
    ]
  },
  "sort": [
    1596105703665
  ]
}
4

I dont remember having much luck with if condition and condition, i usualy have to do:

if condition A
if condition B
if condition C

5

Sorry for my late replay.
I tried to simplify my config file so that I had only one if condition in my filter section:

if [alert][signature_id] == "2009702" {
  drop{}
}

That did not work either.

I am gone try to rewrite my config file, maybe I have some invisible character somewhere in there that prevent the correct execution.

6

Oooooooh. I finally get it. It's too obvious :sweat_smile: You're comparing an integer to a string. That's why it doesn't work. We got irritated because for your ... in [...] condition, querying if the value is in the collection, that works. But for == it doesn't.

if [alert][signature_id] in ["2009475", "blubb"] {
	mutate { add_field => {"test1" => true} }
}
if [alert][signature_id] == "2009475" {
	mutate { add_field => {"test2" => true} }
}
if [alert][signature_id] == 2009475 {
	mutate { add_field => {"test3" => true} }
}

{
  "alert" => {
    "signature_id" => 2009475
  },
  "test1" => "true",
  "test3" => "true"
}
7

Yep that was it ^^
I changed it and it just works, as it should.

Thank you very much :smiley:

8

Hi,

Does it see it as text or a Integer? If an Integer try removing speech marks

Kind regards
Philip Robson

9

Yeah like @Jenni said that was the mistake I made.
Without the speech marks it is working.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.