Open q2dg opened 4 years ago
Hi @q2dg, thanks for the report.
could it be that priority
is "1" instead of the number 1?
Also, you've pasted the same conditional, the "before" and "after", can you edit your original comment to add the "before" conditional that has the ">"?
Also, I'd suggest using an output { stdout { }}
so we can see the actual event structure
Hello. Thaks for your interest! Yes, sorry, I copy-pasted quickly...it was a ">" "before"...I've edited the message accordingly.
I've tried your suggestion and I've written "1" instead of 1. The difference is now Logstash doesn't break but it doesn't apply the condition neither. So the behaviour when writting != 1 or > "1" is the same now.
Here is a random Json event collected by Kibana from my Logstash to show its internal structure, as you requested:
{
"_index": "logstash",
"_type": "_doc",
"_id": "2mYKT3EBIO8el8cNzWTb",
"_version": 1,
"_score": null,
"_source": {
"event": {
"created": "2020-04-06T10:30:39.225Z"
},
"@version": "1",
"message": "pam_unix(sudo:session): session opened for user root by usuari(uid=0)",
"tags": [
"beats_input_codec_plain_applied"
],
"journald": {
"custom": {
"syslog_timestamp": "Apr 6 12:30:38 ",
"selinux_context": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
},
"systemd": {
"transport": "syslog",
"user_slice": "-.slice",
"owner_uid": 1000,
"slice": "user-1000.slice",
"unit": "session-1.scope",
"cgroup": "/user.slice/user-1000.slice/session-1.scope",
"invocation_id": "d077a5b808e644d59fb00d1b30937de6",
"session": "1"
},
"ecs": {
"version": "1.4.0"
},
"agent": {
"type": "journalbeat",
"id": "99cf4a51-e0d5-44ff-bfb3-1cea537acf43",
"ephemeral_id": "8242203b-3427-41b6-b55b-b62a4df98878",
"hostname": "localhost.localdomain",
"version": "7.6.0"
},
"host": {
"id": "282c93309eb540b58dd251c67274278c",
"architecture": "x86_64",
"containerized": false,
"name": "localhost.localdomain",
"boot_id": "ae2ea0885b414abcab2d81c7e7228157",
"hostname": "localhost.localdomain",
"os": {
"platform": "fedora",
"family": "redhat",
"version": "30 (Server Edition)",
"name": "Fedora",
"codename": "Thirty",
"kernel": "5.0.9-301.fc30.x86_64"
}
},
"process": {
"executable": "/usr/bin/sudo",
"cmd": "sudo nano /etc/logstash/conf.d/pipe.conf",
"capabilites": "3fffffffff",
"audit": {
"session": "1",
"login_uid": 1000
},
"name": "sudo",
"uid": 0,
"pid": 1648
},
"syslog": {
"priority": 6,
"facility": 10,
"identifier": "sudo"
},
"@timestamp": "2020-04-06T10:30:38.493Z"
},
"fields": {
"@timestamp": [
"2020-04-06T10:30:38.493Z"
],
"event.created": [
"2020-04-06T10:30:39.225Z"
]
},
"sort": [
1586169038493
]
}
Finally, I attach one file and a image to show that syslog.priority is a number field.
Thanks a lot for your work!
Hello. I'm running JournalBeat 7.6.0 which sends unfiltered data to a Logstash 7.6.0 server , all running in one Fedora 30 system. I just want to process events from sudo command with a priority greather than 1. So, inside a filter { } section in a Logstash conf file I've put this:
if [process][name] != "sudo" and [syslog][priority] > 1 { drop { } }
Well, Logstash breaks very badly with the error message I've attached in following image
Finally I've discovered the problem was the ">" character. So, although it's not the same, I've tried with this other configuration:
if [process][name] != "sudo" and [syslog][priority] != 1 { drop { } }
Writing "!=" instead of ">" makes Logstash not to break, but the bad new is that now the second condition is completely ignored: I record all events generated by sudo regardless the priority value.
So I infer it's a Logstash bug.
P.S: If I put the line
include_matches:["syslog.priority=1"]
inside journalbeat.yml file and then I put this condition (if [process][name] != "sudo" { drop { } }
) in Logstash conf file, it works, so it's not problem from original data: something is wrong when Logstash parses this numerical conditional.Thanks