search

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
Apache License 2.0
124 stars 98 forks source link

add_tag cause incorrect behaviour when using multipatterns #64

Closed nellicus closed 8 years ago

nellicus commented 8 years ago

using logstash 2.0

OK

 grok{
                #failure
                            match => { "message" => ["%{SSH_AUTH_1}","%{SSH_AUTH_2}","%{SSH_AUTH_3}"] }
                            patterns_dir => "/opt/elk/PRODSEC/FS/conf/logstash/patterns"

     }

message:Failed password for invalid user tony from 192.168.1.35 port 53652 ssh2 @version:1 @timestamp:November 26th 2015, 15:08:01.000 beat.hostname:w530 beat.name:w530 count:1 fields: - input_type:log offset:178,307 source:/var/log/auth.log type:auth timestamp:Nov 26 15:08:01 logsource:w530 program:sshd pid:20280 user:tony src_ip:192.168.1.35 src_port:53652 auth_type:ssh2 _id:AVFEH3K0kV3T0hSZq2e0 _type:auth _index:logstash-auth-2015.11.26 _score:

BUG (_grokparsefailure is added as a tag despite correct pattern matching)

 grok{
                #failure
                            match => { "message" => ["%{SSH_AUTH_1}","%{SSH_AUTH_2}","%{SSH_AUTH_3}"] }
                            patterns_dir => "/opt/elk/PRODSEC/FS/conf/logstash/patterns"
                            add_tag => ["auth_fail"]
     }

message:Failed password for invalid user tony from 192.168.1.35 port 55531 ssh2 @version:1 @timestamp:November 26th 2015, 16:12:44.000 beat.hostname:w530 beat.name:w530 count:1 fields: - input_type:log offset:182,004 source:/var/log/auth.log type:auth timestamp:Nov 26 16:12:44 logsource:w530 program:sshd pid:811 user:tony src_ip:192.168.1.35 src_port:55531 auth_type:ssh2 tags:auth_fail, _grokparsefailure _id:AVFEWrQzkV3T0hSZrRn1 _type:auth _index:logstash-unparsed-2015.11.26 _score:
nellicus commented 8 years ago

self assessing user config issue (other grok block setting the tag)