String interpolation failing in event dependent config

joshzitting · May 23, 2016, 8:40pm

I am attempting to use a dynamic/event dependent config (as shown here https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html) however I keep getting an errror.
I am trying to output data to sentry depending on the severity, and the type of log that it is processing.

This is what the output section looks like

        sentry {
        host => '192.168.1.101'
        key => 'b3921923d34c4344878g7a83e2061229'
        secret => 'd0163as306c04148aee49fe4ae7621b1'
        project_id => '2'
        msg => "[@metadata][sentry][id]"
        level_tag => "[sentry]" (have also tried "%{sentry}", %{sentry}, "[@metadata][sentry][severity]" ) etc.
        #level_tag => "fatal"
      }

And this is what my filter looks like..

filter {
  if [type] == "syslog" {
   mutate {
      add_field => {"[@metadata][sentry][id]" => "%{host}"}
     # add_field => { "[sentry_severity]" => "%{severity}" }
      add_field => {"sentry" => "fatal"}
     # add_field => {"[@metadata][sentry][severity]" => "fatal" }
   }
  }
}

This is what sentry is receiving..

{
  "name": "level",
  "value": "[sentry]"
}

the part I am having an issue with is 'level_tag => "[sentry]" ' (as you can see I have tried a handful of variables without success) I would prefer to use a metadata one..
I have tried every type of interpolation there that I can find and no matter what it keeps passing in the variable name as opposed to the data contained in the variable.. however when I do a std out it DOES show that the variable IS set to the right string.

Any help is sooooo appreciated..

What I would hope to do is be able to have host, key, secret, project_id, level tag, all variables that are set in the filters section...
Thanks!
Josh

magnusbaeck · May 24, 2016, 6:11am

msg => "[@metadata][sentry][id]"

Should be:

msg => "%{[@metadata][sentry][id]}"

level_tag => "[sentry]"

Should be (square brackets optional):

 level_tag => "%{[sentry]}"

Please show an example event as presented by a stdout { codec => rubydebug } codec so we can see exactly what the events look like.

joshzitting · May 24, 2016, 6:02pm

Here is the debug output..

{
           "message" => "pam_unix(cron:session): session closed for user root\n",
          "@version" => "1",
        "@timestamp" => "2016-05-24T17:17:01.000Z",
              "type" => "syslog",
              "host" => "10.129.21.17",
          "priority" => 86,
         "timestamp" => "May 24 17:17:01",
         "logsource" => "d27ca252-44d5-45e1-e7e1-d3f3a0212799",
           "program" => "CRON",
               "pid" => "7806",
          "severity" => 6,
          "facility" => 10,
    "facility_label" => "security/authorization",
    "severity_label" => "Informational",
            "sentry" => "fatal",
         "@metadata" => {
        "sentry" => {
            "id" => "10.129.21.17"
        }
    }
}

also

{
           "message" => "pam_unix(cron:session): session closed for user root\n",
          "@version" => "1",
        "@timestamp" => "2016-05-23T22:17:01.000Z",
              "type" => "syslog",
              "host" => "10.129.21.17",
          "priority" => 86,
         "timestamp" => "May 23 22:17:01",
         "logsource" => "d27ca252-44d5-45e1-e7e1-d3f3a0212799",
           "program" => "CRON",
               "pid" => "7569",
          "severity" => 6,
          "facility" => 10,
    "facility_label" => "security/authorization",
    "severity_label" => "Informational",
            "sentry" => "fatal",
         "@metadata" => {
        "sentry" => {
            "id" => "10.129.21.17"
        }
    }
}

As you can see the feild "sentry" is set to fatal..

However with the config set as you suggested above.. Here is the json event data that sentry received..

{"id":"017a8bb3fb9d42f8be8bf51d6a6241f5","project":2,"release":null,"platform":"other","culprit":"","message":"%{[@metadata][sentry][id]}","datetime":"2016-05-24T17:50:31.000000Z","time_spent":null,"tags":[["level","error"],["server_name","10.129.21.17"]],"errors":[{"type":"invalid_data","name":"level","value":"%{[sentry]}"}],"extra":{"severity":6,"facility":10,"@version":"1","@timestamp":"2016-05-24T17:50:31.000Z","sentry":"fatal","logsource":"d27ca252-44d5-45e1-e7e1-d3f3a0212799","priority":86,"host":"10.129.21.17","program":"su","severity_label":"Informational","timestamp":"May 24 17:50:31","message":"pam_unix(su:session): session opened for user root by ubuntu(uid=0)\n","type":"syslog","facility_label":"[Filtered]","pid":"7937"},"fingerprint":["{{ default }}"],"received":1464112251.0,"type":"default","version":"5"}

As you can see both the message (msg) and level ("errors":[{"type":"invalid_data","name":"level","value":"%{[sentry]}"}] ) are not interpolated..

If I have the message like this.. msg => "[@metadata][sentry][id]" it will interpolate..

{"id":"2cdbe0522f234967855b44c1c17816b0","project":2,"release":null,"platform":"other","culprit":"","message":"10.129.21.17","datetime":"2016-05-24T17:56:45.000000Z","time_spent":null,"tags":[["level","error"],["server_name","10.129.21.17"]],"errors":[{"type":"invalid_data","name":"level","value":"%{sentry}"}],"extra":{"severity":6,"facility":10,"@version":"1","@timestamp":"2016-05-24T17:56:45.000Z","sentry":"fatal","logsource":"d27ca252-44d5-45e1-e7e1-d3f3a0212799","priority":86,"host":"10.129.21.17","program":"su","severity_label":"Informational","timestamp":"May 24 17:56:45","message":"pam_unix(su:session): session opened for user root by ubuntu(uid=0)\n","type":"syslog","facility_label":"[Filtered]","pid":"7971"},"fingerprint":["{{ default }}"],"received":1464112636.0,"type":"default","version":"5"}

However the level will NOT no mater how I arange it.

wiibaa · May 24, 2016, 7:17pm

@joshzitting let's move the discussion to https://github.com/javiermatos/logstash-output-sentry/issues/1