hunter32me
commented
1 year ago Looking at this will update
Closed MarkVanAcker closed 10 months ago
hunter32me
commented
1 year ago Looking at this will update
neu5ron
commented
1 year ago hey thanks for the post, have spent a handful of years dealing with this logic bomb and slip up. I had performed this correct in conn log, but it appears they won't let you convert a boolean to a string (frozen string error)
Theif "" in [field] also unfortunately does not work.
I have a solution, we'll have it rolled out to the repo at some point. a handful of ways, to accomplish. the later two (04/05) is the way to go or just temporary short ruby.
# sudo /usr/share/logstash/bin/logstash -f /home/neutron/PycharmProjects/corelight/ecs-templates/test.conf
# {"success": true}
# {"success": false}
input {
stdin {
codec => json
}
}
filter {
mutate {
rename => { "success" => "[kerberos][request][successful]" }
copy => { "[kerberos][request][successful]" => "test_copy" }
#convert => { "test_rename" => "string" }
add_field => { "added_field" => "%{[kerberos][request][successful]}" }
}
if [kerberos][request][successful] {
mutate {
add_field => { "when" => "01" }
}
}
if "" in [kerberos][request][successful] {
mutate {
add_field => { "when" => "02" }
}
}
if [added_field] !~ /^%\{\[kerberos\]\[request\]\[successful\]\}$/ {
mutate {
add_field => { "when" => "03" }
}
}
if [kerberos][request][successful] in [ "true", "false" ] {
mutate {
add_field => { "when" => "04" }
}
}
if [kerberos][request][successful] in [ true, false ] {
mutate {
add_field => { "when" => "05" }
}
translate {
field => "[kerberos][request][successful]"
exact => true
dictionary => [
"true", "success",
"false", "failure"
]
destination => "[event][outcome]"
add_field => {
"[@metadata][etl][pipeline]" => "filter-translate-df8c84054aee-20220329.01"
}
id => "filter-translate-df8c84054aee"
}
}
}
output {
stdout { codec => rubydebug }
}{"success": false}{
"test_copy" => false,
"kerberos" => {
"request" => {
"successful" => false
}
},
"@version" => "1",
"event" => {
"original" => "{\"success\": false}\n",
"outcome" => "failure"
},
"when" => [
[0] "03",
[1] "04",
[2] "05"
]
"added_field" => "false",
}{"success": true}{
"event" => {
"original" => "{\"success\": true}\n",
"outcome" => "success"
},
"@version" => "1",
"test_copy" => true,
"when" => [
[0] "01",
[1] "03",
[2] "04",
[3] "05"
],
"kerberos" => {
"request" => {
"successful" => true
}
},
"added_field" => "true"
}success{
"event" => {
"original" => "{\"sucxxxcess\": true}\n"
},
"@version" => "1",
"@timestamp" => 2023-10-31T20:08:21.325245638Z,
"host" => {
"hostname" => "bandstand"
},
"added_field" => "%{[kerberos][request][successful]}"
}
MarkVanAcker
commented
11 months ago Hi,
Thank you for your reply and solution. Any news on when this will be added to the repo?
Thanks
neu5ron
commented
10 months ago Hi @MarkVanAcker sorry for the late reply! This is fixed in the latest in the branch main
Let us know if you have any questions/concerns or need anything else.
Hi,
We are currently using this mapping for our ingestion chain. We noticed that in this codeblock, the logic seems to be inverted (true -> failure, false -> success). Could this be a bug?
Also the top "if [kerberos][request][successful] {" does not only return false when the field does not exist, but also when the value itself is false. A fix for this could be replacing it with 'if "" in [kerberos][request][successful]', which should only return false if the value does not exist.