Office365 Logstash parser

a899090 · July 26, 2018, 7:48pm

Hi

I need some help running this logstash config, when running in ubuntu it keeps on complaining about line 47 where it expected # or => but i can't see the problem with the below. Any help will be appreciated.

input {
    file { 
        path => "<tsv_moniter>/*.csv"
        type => "o365_tsv" 
        start_position => "beginning"
    }

    file { 
        path => "home/ct/Documents/office/*.csv"
        type => "o365_csv" 
        start_position => "beginning"
    }
}

filter {
    if ([type] == "o365_tsv") {
        csv {
            columns => ["CreationDate", "UserIds", "Operations", "AuditData"]
            skip_header => "true"
            add_tag => [ "o365_csv_log" ]
            # Insert a literal tab for a separator
            separator => "  " 
        }

        date {
            match => [ "CreationDate", "ISO8601"]
        }

        json {
            # Need to parse out embedded JSON
            source => "AuditData"
        }

        geoip {
            database => "home/ct/Documents/maximind/GeoLite2-Country.mmdb"
            source => "ClientIP"
            target => "client_geo"
        }
    }

    if ([type] == "o365_csv") {
        csv {
            columns => ["PSComputerName", "RunspaceId", "PSShowComputerName", "RecordType", "CreationDate", "UserIds", "Operations", "AuditData", "ResultIndex", "ResultCount", "Identity", "IsValid", "ObjectState"]
            skip_header => "true"
            
            # Need to drop that pesky second header
            if ([message] =~ /^#/) {
                drop {}
            }
        }

        date {
            match => [ "CreationDate", "ISO8601" ]
        }

        # Need to parse out embedded JSON
        json {
            source => "AuditData"
        }

        geoip {
            database => "home/ct/Documents/maximind/GeoLite2-Country.mmdb"
            source => "ClientIP"
            target => "client_geo"
        }
    }
}

output {
    elasticsearch {
        # Change me to reflect your Elastic server
        hosts => ["localhost:5601"]
        index => "o365_logs"
    }
}

Badger · July 26, 2018, 9:06pm

You cannot have a conditional inside a filter. Move the if+drop outside of the csv.

yaauie · July 26, 2018, 10:28pm

^ this is the conditional that @badger mentions as being inside of a filter.

You can use conditionals to determine whether or not a filter will be run on an event, but conditionals cannot exist inside of filters.

a899090 · July 30, 2018, 11:09am

thanks, i will try that and see what happens

system · August 27, 2018, 11:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.