I send syslog data from a WiFi controller to ElasticSearch. This controller sends me different types of packets and I want to keep only the packets of this type:
#Filtering data using grok parser
filter
{
if [type] == "wifilogs"
{
if "policy=_syslog" in [message]
{
grok
{
match => { "message" => "(?<timestamp>%{MONTH} +%{MONTHDAY} %{TIME} %{YEAR}) %{HOSTNAME:ControllerName} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} (<%{NOTSPACE} %{IP:IPController}>|%{NOTSPACE}) %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:Protocol} srcip=%{IP:srcIP} srcport=%{NOTSPACE:srcPort} dstip=%{NOTSPACE:destIP} dstport=%{NOTSPACE:dstPort}, action=%{NOTSPACE:action}, role=%{NOTSPACE:role}, policy=%{NOTSPACE:ArubaPolicy}"}
}
}
}
}
The grok filter works well ! No problem with that.
But I find that this filter does not work, because it still sends all packets to logstash. How can I keep only the packets that contain "policy=_syslog"?
One possibilty is to product a grok pattern who recognised only syslog message. So for all other, it gonna product the tag_grokparsefailure so you can use this in a if expression in your output.
filter
{
if [type] == "wifilogs"
{
#I edit the grok pattern, look a the end of it
grok
{
match => { "message" => "(?<timestamp>%{MONTH} +%{MONTHDAY} %{TIME} %{YEAR}) %{HOSTNAME:ControllerName} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} (<%{NOTSPACE} %{IP:IPController}>|%{NOTSPACE}) %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:Protocol} srcip=%{IP:srcIP} srcport=%{NOTSPACE:srcPort} dstip=%{NOTSPACE:destIP} dstport=%{NOTSPACE:dstPort}, action=%{NOTSPACE:action}, role=%{NOTSPACE:role}, policy=_syslog"}
}
}
}
output {
if "_grokparsefailure" not in [tags] {
elasticsearch {...}
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.