Logstash to filter and drop all strings mentioned in exception.txt file

Anirban_Banerjee · January 30, 2020, 5:41am

Hello

We are trying to see the feasibility of using logstash and icinga (check_logfiles plugins) in tandem to monitor postgres logs.

The idea is we have a file called ignore_alert.txt. It has 100s of strings which the admin is not interested in receiving alerts.

$ cat ignore_alert.txt
(01000)
(0100C)
(01008)
(01003)
(01007)
(01006)
(01004)
(01P01)
(02000)
(02001)
(03000)
(08000)
(08003)
(08006)
(08001)
(08004)
(08007)
(08P01)
(09000)
(0A000)
(0B000)
(0F000)
(0F001)
(0L000)
(0LP01)
(0P000)
(0Z000)
(0Z002)

Why we chose the ignore (exclusion) process than inclusion string is because every time postgres comes with new version - some new strings are introduced which may be crucial. So we want to monitor everything unless it has been confirmed by Admin as not required

So we want to read from postgres logfile filter out anything which matches string in ignore_alert.txt

ITIC · January 30, 2020, 7:30am

Hi

If you could get your "ignore_alert" info in one single line and into an environmental variable in your logstash system, then you could just use it in a filter:

[...]
mutate {
   add_field {
      IGNORE => ${<your_environment_variable_here>:<default_value__just_in_case__not_required>}
   }

if  [ALERTCODE] in [IGNORE] {
  drop {}
}
[...]

Hope this helps

Anirban_Banerjee · January 30, 2020, 7:46am

Thank You for your response

Well the ignore_alert.txt file is few hundred lines. It has alert IDs as shown above or sometimes strings as well like "wrong statement" with space in between etc etc. this is just too big to bring in 1 single line. Also it is expected that Admins will add new patterns at the end of ignore_alert.txt file - if he doesn't want to be alerted on some newly discovered pattern. Just wondering if this is even feasible solution considering I cannot just hog on to lot of cpu memory just to process this for every line in logs

ITIC · January 30, 2020, 8:26am

Hi

You are right, this would be feasible only for a small(ish) list. A more general solution could maybe be implemented using a ruby{} filter.

Inside the ruby filter you could check your exceptions file and fill a boolean variable, then use an if to drop{} the rejects.

if  [REJECT] > 0 {
  drop {}
}

Hope this helps.

Badger · January 30, 2020, 4:33pm

You could do it in a ruby script. In the register function load the file into an instance variable array. Then in the filter function do

m = event.get("message")
a.each { |x|
    if m.include? x
        event.cancel
    end
}

system · February 27, 2020, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.