Ruby API call when parser hit specific field

Jirka_Liska · May 23, 2023, 10:48am

Hi,

I'm trying to have Logstash make API call when it hits specific field using Ruby code but I'm unable to do so. Could someone smarter than me check what I'm doing wrong please?

Ruby code:

require 'uri'
require 'net/http'

def register(params)
    @pk = params["pk"]
end

def filter(event)
    uri = URI('http://rest_api:8000/api/')
    res = Net::HTTP.post_form(uri, 'report_status' => 'PROCESSED')
    puts res.body  if res.is_a?(Net::HTTPSuccess)
end

Logstash filter:

    grok {
      match => {
        "[log][file][path]" => ["(?:%{BASE10NUM:PK}-)"]
      }
    }
    if [EOF] == 'EOF' {
      ruby {
        path => "/usr/local/supporting-scripts/isotropy-webhook.rb"
        script_params => {
        "PK" => "pk"
        }
      }
    }

Log example:

fd1c6aeb-c9c4-4c1c-8451-7899dc71cb0b,12/2/2022 9:13:34 PM,13,DlpRuleMatch,test@test.com,"{""CreationTime"":""2022-12-02T21:13:34"",""Id"":""1-1c-8451-1"",""Operation"":""DlpRuleMatch"",""OrganizationId"":""1-1-1-1-1"",""RecordType"":13,""UserKey"":""1-1c-8451-1"",""UserType"":4,""Version"":1,""Workload"":""Exchange"",""ObjectId"":""<1@1.1.1.1.COM>"",""UserId"":""test@test.com"",""IncidentId"":""1-1c-8451-1"",""PolicyDetails"":[{""PolicyId"":""6a9c7f84-4d04-487c-9b1e-6dc4884e5c44"",""PolicyName"":""DLP_Exclude_Autoreplies_Ex_Cx"",""Rules"":[{""Actions"":[""Halt""],""ConditionsMatched"":{""ConditionMatchedInNewScheme"":false,""OtherConditions"":[{""Name"":""AccessScope"",""Value"":""IncludeExternalUsers""},{""Name"":""ExtendedItem.ExMessage.MessageType"",""Value"":""AutomaticReply""}]},""ManagementRuleId"":""1-1c-8451-1"",""RuleId"":""1-1c-8451-1"",""RuleMode"":""Enable"",""RuleName"":""DLP_Exclude_Autoreplies_Ex_Cx"",""Severity"":""Low""}]}],""SensitiveInfoDetectionIsIncluded"":false,""ExchangeMetaData"":{""BCC"":[],""CC"":[],""FileSize"":44224,""From"":""test@test.com"",""MessageID"":""<1-1c-8451-1@1-1c-8451-1.1-1c-8451-1.1-1c-8451-1.1-1c-8451-1.COM>"",""RecipientCount"":1,""Sent"":""2022-12-02T21:13:33"",""Subject"":""Automatic reply: [Test] Test"",""To"":[""test@test.com""],""UniqueID"":""a1df2cb7-73ef-4d58-068b-08dad4aa11eb""}}",""EOF"":""EOF"",

Thanks in advance!

Badger · May 23, 2023, 3:04pm

Your ruby script defines the parameter names as "pk", not "PK".

Jirka_Liska · May 23, 2023, 3:57pm

thanks, anyway this changed nothing...

Badger · May 23, 2023, 4:01pm

Not surprising actually, since you never reference @pk.

Jirka_Liska · May 23, 2023, 4:34pm

With or without I would expect to see this POST request in API logs but there is none..Is possible I'm doing something else wrong?

Badger · May 23, 2023, 5:03pm

What sets the [EOF] field to "EOF"?

Jirka_Liska · May 23, 2023, 5:19pm

That's me, I'm adding it manually at the end of the file. I want to determine when parsing is done and notify my API with this info.

Badger · May 23, 2023, 5:36pm

But what sets the field? Did you mean if [message] == "EOF"? If so, you might need pipeline.ordered set to true (and pipeline.workers set to 1 as well).

Jirka_Liska · May 23, 2023, 5:42pm

Thank for your kind support! You're knowledge help fix my problem as always!

system · June 20, 2023, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.