Logstash - If %{statement} has "value"

headtea · October 1, 2020, 2:54pm

In Logstash, I'm trying to set a condition where if within a file named "cowrie.json", if a new message is received that starts with "login attempt*" - send an email.

This is what I tried:

output {
  if [log][file][path] =~ "cowrie.json" {
  if %{message} =~ "login attempt.*"{
    email {
      to => 'test@address.com'
      subject => 'Honeypot Alert'
      body => "Someone interacted with the honeypot!"
      domain => 'mail.xconnect.net'
      port => 25
    }
  }
 }
}

If I remove the second if statement, it works. Does anyone happen to know what I have to replace the second if statement so that it would only apply to entires/messages that start with "login attempt"?

Huge thanks ahead!

Badger · October 1, 2020, 3:16pm

That should be

if "login attempt" in [message] {

or

if [message] =~ "^login attempt" {

(note that you said "starts with", so I anchored the pattern).

headtea · October 1, 2020, 3:22pm

Thank you SO MUCH!

system · October 29, 2020, 3:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.