Problem with filebeat prozessors

Hi,
I run filebeat with a few moduled enabled like cef, cisco and fortinet.
In the modules input area I add an tag related to the customer. Later in the processors part of filebeat.yml I use this tag to set correct organization.name.
So far so good and it works.
For the fortinet firewall input I have to set the customer name dependent to the value of fortinet.firewall.vd which is available in the ingested data. But this doesn't work.
It seems that the fortinet specific field are not available when it runs through the prozessor.
A section of the filebeat.yml

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - add_fields:
      when:
        or:
          - contains:
              tags: "CustA"
          - contains:
              fortinet.firewall.vd: "custA"
      target: organization
      fields:
        name: "CustomerA"
  - add_fields:
      when:
        or:
          - contains:
              fortinet.firewall.vd: "Gxxxx"
          - contains:
              tags: "Gxxxx"
      target: organization
      fields:
        name: "Gxxxx"
  - add_fields:
      when:
        equals:
          fortinet.firewall.vd: "K"
      target: organization
      fields:
        name: "Kddd"

Hope somebody has an idea.

Best regards
Uwe

Hi!

I'm not sure if you can use conditions in this processor and if the processor actually has access to event's fields (didn't check but docs does not mention that)

However I think that script can be of help in your case.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.