hi, i'd love some help, i've googled all i know to google, read the logstash documents.. and i'm still not finding what i need.
i am bringing in a ton of logs from various sources dealing with network traffic. i'd like to have a rule that based on some conditions:
-- if a field is an ipv4 ip address AND NOT an internal/private ip address send a query to an outside server to query if its a known bad/blacklisted IP or a good/whitelisted IP.
i THINK that can be done with the
if (conditions would go here) {
filter {
TCP {
} #end TCP
} #end filter
} # end if
the curl command have running against the server would be something like this: curl -H "Authorization:22de00b5e876adwhateverwhateverwhatever" -GET "http://XXX.XXX.XXX.XXX:5000/indicators/?q=@{indicator}"
and it works and returns a JSON response with the info i need.
Am I on the right track here? i cant seem to find anyone doing anything like this.. maybe i'm not searching for the right thing.. any help or links to examples would be greatly appreciated.
Badger thank you very much for your help.
i'm about 80% there.
I've got logstash communicating to my server.
the query i need to run is this: (using curl from linux command prompt) curl -H "Authorization:AuthTokenGoesHere" -GET "http://192.168.4.102:5000/indicators/?q=@{indicator}"
this curl statement works.. but i'm not having very much luck translating that into the HTTP format:
filter {
if "externalAddress" in [tags] {
rest {
request => {
url => "http://192.168.4.102:5000/indicators/?q=%{[source][address]}"
method => "post"
} #end request
auth {
Authorization => "AuthTokenGoesHere"
}
target => "cif"
json => "true"
} #end rest
} # end if
} # end filter
any suggestions would really appreciated. I cant seem to find any examples of this in the discussion forums or with google
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.