Been playing around using the ruby filter plugin. Great filter plugin btw!!
I have a couple of logstash confs that have small ruby script filters. While all the filters seem to be working. I still see the below error log when looking at the logstash pipeline logs.
[ERROR][logstash.filters.ruby ][pipeid] Ruby exception occurred: undefined method `+' for nil:NilClass
When looking into this, the below are the only scripts that I can see include the parameters that would cause this.
Script 1
ruby {
code => "
e = event.get('[geo_src][ip]')
url = 'https://www.virustotal.com/gui/search/'
l = url + e
event.set('[geo_src][ip_reputation]', l)
"
}
Script 2
ruby {
code => "
i = event.get('[dst_ip]')
a = i.to_s
b = a.split('.')
c = b[0] + '.' + b[1] + '.' + b[2]
event.set('[dst_ip_grouping]', c)
"
}
Data is still being seen in Kibana and all, but would this mean that there would be data from this that has not been/ unable to have been filtered as intended and dropped etc?
Would there be a work around for this or a way to modify the scripts as I am unsure why this is happen? When checking the scripts in the online ruby tool (Repl.it)
I think the error comes from this part because a didn't contain any dots, so the split result only has one entry. Do you maybe have some IPV6 values in dst_ip?
Thank you very much for replying to my message and your help!
Yes, I was thinking this but I have tried a couple of different filters that happen before and are included within if statements etc but am still getting this.
Examples of this are below:
ex 1
if [dst_ip] === %{IPV6} {
mutate {
add_tag => "IPv6"
...
}
} else {
ruby {
code => "
i = event.get('[dst_ip]')
a = i.to_s
b = a.split('.')
c = b[0] + '.' + b[1] + '.' + b[2]
event.set('[dst_ip_grouping]', c)
"
}
}
ex 2
if [dst_ip] === %{IPV6} {
mutate {
add_tag => "IPv6"
tag_on_failure => ["non_ipv6"]
...
}
}
if "non_ipv6" in [tags] {
ruby {
code => "
i = event.get('[dst_ip]')
a = i.to_s
b = a.split('.')
c = b[0] + '.' + b[1] + '.' + b[2]
event.set('[dst_ip_grouping]', c)
"
}
}
ex 3
ruby {
code => "
i = event.get('[dst_ip]')
a = i.to_s
b = a.split('.')
c = b[0] + '.' + b[1] + '.' + b[2]
event.set('[dst_ip_grouping]', c)
"
tag_on_expection => "ipv6_error_ruby"
}
if "ipv6_error" in [tags] {
mutate {
remove_tag => "ipv6_error_ruby"
...
}
}
Thinking a better way of this if [dst_ip] === %{IPV6} { would be cleaner?
Maybe I've been looking at this for a while and missing what is there? Maybe the logic is incorrect?
Thinking that if I put a filter beforehand to separate IPv4 and IPv6 addresses coming through.Then only the IPv4 addresses with run through the ruby script (bar ex 3).
Just want to be able to clean up the pipeline logs.
And Logstash didn't crash with this configuration? I don't know where you got that, but that kind of syntax and functionality doesn't exist. You could follow this example: How to check client_ip ipv4 or ipv6? - #3 by Badger (Additionally you should maybe check that the field isn't an empty string.)
And it's tag_on_exception, not tag_on_expection. But that only changes the tag, it doesnt suppress the error message.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
