Working with subfields in logstash


(maxf) #1

Hello.
Im using logstash to parse sysmon events.
So i cant correctly use condition if and change subfields. What am i doing wrong? my config:

filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational" and [event_id] == 1 {
mutate {
add_field => {"whitelisted" => "false"}
convert => { "whitelisted" => "string" }
}
}
}
if [log_name] == "Microsoft-Windows-Sysmon/Operational" and [event_id] == 1 {
if "true" not in [whitelisted] {
jdbc_streaming {
jdbc_driver_library => "/etc/logstash/conf.d/mysql-connector-java-5.1.44/mysql-connector-java-5.1.44-bin.jar"
jdbc_driver_class => "com.mysql.jdbc.Driver"
jdbc_connection_string => ""
jdbc_user => ""
jdbc_password => ""
cache_size => 1500
cache_expiration => 600
statement => "select test_sp(:image) as 'sp_out'"
parameters => { "image" => "[event_data][Image]"}
target => "sqlfiltered"
}
}
mutate {
convert => { "[sqlfiltered][sp_out]" => "string" }
}
if "%{[sqlfiltered][sp_out]}" == 'true' {
mutate {
replace => { "sp_out" => "test" }
}
}
if "true" in "%{[sqlfiltered][sp_out]}"
{
mutate { replace => { "whitelisted" => "true" }}
}
}

And my output is like

{"computer_name":"test2.test.info","process_id":1912,"level":"Information","log_name":"Microsoft-Windows-Sysmon/Operational","record_number":"55909","event_data":{"ParentImage":"C:\Windows\explorer.exe","LogonGuid":"{4B1AF279-B975-59C0-0000-002093790600}","User":"test\user","IntegrityLevel":"High","TerminalSessionId":"2","ParentProcessId":"3188","Image":"C:\Users\user\Desktop\winrar-x64-501ru.exe","ProcessGuid":"{4B1AF279-2FC5-59D6-0000-0010968DD30E}","UtcTime":"2017-10-05 13:12:37.323","CurrentDirectory":"C:\Users\user\Desktop\","CommandLine":""C:\Users\user\Desktop\winrar-x64-501ru.exe" ","Hashes":"MD5=BD37829CB1CAF78743A928E0A64D6DFE","ProcessId":"4380","ParentCommandLine":"C:\Windows\Explorer.EXE","ParentProcessGuid":"{4B1AF279-B978-59C0-0000-0010ACC50600}","LogonId":"0x67993"},"message":"Process Create:\nUtcTime: 2017-10-05 13:12:37.323\nProcessGuid: {4B1AF279-2FC5-59D6-0000-0010968DD30E}\nProcessId: 4380\nImage: C:\Users\user\Desktop\winrar-x64-501ru.exe\nCommandLine: "C:\Users\user\Desktop\winrar-x64-501ru.exe" \nCurrentDirectory: C:\Users\user\Desktop\\nUser: test\user\nLogonGuid: {4B1AF279-B975-59C0-0000-002093790600}\nLogonId: 0x67993\nTerminalSessionId: 2\nIntegrityLevel: High\nHashes: MD5=BD37829CB1CAF78743A928E0A64D6DFE\nParentProcessGuid: {4B1AF279-B978-59C0-0000-0010ACC50600}\nParentProcessId: 3188\nParentImage: C:\Windows\explorer.exe\nParentCommandLine: C:\Windows\Explorer.EXE","type":"wineventlog","opcode":"Info","sqlfiltered":[{"sp_out":"true"}],"version":5,"tags":["beats_input_codec_plain_applied"],"thread_id":4344,"@timestamp":"2017-10-05T13:12:37.324Z","task":"Process Create (rule: ProcessCreate)","event_id":1,"provider_guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","@version":"1","beat":{"hostname":"test1","name":"test1","version":"5.6.0"},"host":"test1","whitelisted":"false","user":{"identifier":"S-1-5-18","domain":"NT AUTHORITY","name":"SYSTEM","type":"User"},"source_name":"Microsoft-Windows-Sysmon"}

so we see, [sqlfiltered][sp_out] = true , but if "%{[sqlfiltered][sp_out]}" == 'true' and if "true" in "%{[sqlfiltered][sp_out]}" are false


(Magnus Bäck) #2

Do this instead:

if [sqlfiltered][sp_out] == 'true'

(maxf) #3

not helps.
i changed to

if [sqlfiltered][sp_out] == 'true'
{
mutate { replace => { "whitelisted" => "true" }}
}

but its still in output

"sqlfiltered":[{"sp_out":"true"}],
"whitelisted":"false"


(Magnus Bäck) #4

sqlfiltered is an array so you need this:

if [sqlfiltered][0][sp_out] == 'true'

(maxf) #5

thanks a lot. it works and im happy


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.