Matching word inside message field

Elastic Stack Logstash
1

Hi, Guys
Just like many others i am quite new to ELK and have a question.

My logstash recieves syslogs from pfsense firewall.
I crated a grok filter that parses firewall events and extract all needed data from @message, based on tokens position.
Now, i want openvpn logs to be parsed as well, but.. structure of the @message is quite different, so i need to create a new portion of grok, that will mess with openvpn logs.

The question is, how can i create logic, that will search for specific word inside the message and then apply grok filter.
And (!) if word not found - then apply different filter?

  • i saw that in previous versions of logstash was grep filter, but it's discontinued for now.. am i right?

** Another thing, that i will be greatly thankful if someone knows is- how can i point directly to specific token inside the message and then bind it to a var. just like tokens\delims thing.

Any suggestion will be highly appreciated!
Thanks in advance!

2

I crated a grok filter that parses firewall events and extract all needed data from @message, based on tokens position.

I assume you mean message and not @message. The field hasn't been called @message for years.

The question is, how can i create logic, that will search for specific word inside the message and then apply grok filter.
And (!) if word not found - then apply different filter?

i saw that in previous versions of logstash was grep filter, but it's discontinued for now.. am i right?

Yes, don't use it.

Another thing, that i will be greatly thankful if someone knows is- how can i point directly to specific token inside the message and then bind it to a var. just like tokens\delims thing.

I don't understand this question.

3

Hi and thanks for replying.

message: <134>Dec 10 04:36:44 filterlog: 10,16777216,,1000000103,igb1,match,block,in,4,0x0,,128,32285,0,DF,17,udp,78,10.10.10.10,10.10.11.11,51949,137,58

currently i'm using something like this:
match => { "message" => "%{INT:a},%{INT:b},,%{INT:c},%{WORD:Interface},%{WORD:match},%{WORD:action},%{WORD:direction},%{INT:d},%{WORD:e},,%{INT:f},%{INT:g},%{INT:h},%{WORD:i},%{INT:protocol_number},%{WORD:Protocol},%{INT:j},%{IPV4:destination},%{IPV4:source},%{INT:source_port},%{INT:destination_port}" }

  • i'm sure that's not the best way to do things

So, the question is, how can i point to specific word, based on it's position inside the message, instead of binding every part of it to something.

4

You should use the csv filter.