Hello, it is my first question, if there is something wrong, please forgive me.
I present my problem to you: My Logstash I get logs from Sophos XG. The sophos logs reach me in the "message" field, so with the filter, grok and match option I extract them. Then the output sent me to elasticsearch. What I want is to evaluate the "status" field in a conditional, and if it is "Deny" I also sent them to my Splunk. The latter is what I can't do. Can you help me? Thank you. I leave my code so they can review it:
input {
udp {
port =>515
type => "sophos_log"
}
}
filter {
if [type] == "sophos_log"{
grok {
match => { "message" => 'log_subtype="%{NOTSPACE:log_subtype}"' }
}
grok {
match => { "message" => 'status="%{DATA:status}"' }
}
grok {
match => { "message" => "priority=%{NOTSPACE:priority}" }
}
}
}
output {
if [type] == "sophos_log" {
elasticsearch {
hosts => ["<host_ip>:<host_port>"]
index => "sophos-xg"
}
}
if "%{[status]}" == "Deny" {
udp {
host => [""]
port => ["<host_port>"]
}
}
}
}
The extracted fields do reach elasticsearch well, but the conditional does not evaluate my "status" field, and nothing reaches Splunk. However, I remove the conditional, if the logs are forwarded to Splunk. Can you help me, thanks.