this is my first experience with the ELK stack and I'm trying to filter some hosts through the Logstash (v7.11) drop function but obviously I'm doing something wrong because despite trying to exclude the host using the variables: ip, hostname, type seems to ignore them anyway
Currently the json looks like this:
{
"_index": "syslog-2021.02",
"_type": "_doc",
"_id": "w83syncB6OFB5F4c_Fkq",
"_version": 1,
"_score": null,
"_source": {
"host": {
"id": "2d716776-19df-4dfe-8022-497a1539bb58",
"name": "DOM1.contoso.com",
"hostname": "DOM1",
"architecture": "x86_64",
"ip": [
"fe80::247b:aa07:b20:a19",
"192.168.1.100"
],
"mac": [
"00:18:3a:4f:5d:4b"
],
"os": {
"kernel": "10.0.17763.1577 (WinBuild.160101.0800)",
"name": "Windows Server 2019 Standard",
"version": "10.0",
"platform": "windows",
"build": "17763.1577",
"family": "windows"
}
},
"log": {
"level": "information"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"version": "7.11.1",
"id": "0cf7eacf-d605-46d4-a9cb-b0f7b5991c97",
"hostname": "DOM1",
"ephemeral_id": "f702e826-9c20-4140-8a0b-5ba6a5c46050",
"name": "DOM1",
"type": "winlogbeat"
},
"ecs": {
"version": "1.7.0"
},
"winlog": {
"record_id": 144825686,
"keywords": [
"Audit Success"
],
"channel": "Security",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"opcode": "Info",
"event_id": 4634,
"computer_name": "DOM1.contoso.com",
"task": "Logoff",
"process": {
"thread": {
"id": 2664
},
"pid": 956
},
"event_data": {
"LogonType": "3",
"TargetUserName": "testuser",
"TargetDomainName": "CONTOSO",
"TargetLogonId": "0x5016a75e",
"TargetUserSid": "S-1-5-21-1960408961-362288127-682003330-2659"
}
},
"event": {
"code": 4634,
"action": "Logoff",
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2021-02-22T18:07:41.305Z",
"kind": "event",
"outcome": "success"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-196040961-865488157-6821234550-3259\n\tAccount Name:\t\ttestuser\n\tAccount Domain:\t\tCONTOSO\n\tLogon ID:\t\t0x5016A75E\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"@version": "1",
"@timestamp": "2021-02-22T18:07:39.812Z"
},
"fields": {
"@timestamp": [
"2021-02-22T18:07:39.812Z"
],
"event.created": [
"2021-02-22T18:07:41.305Z"
]
},
"sort": [
1614017259812
]
}
The config file looks like:
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "winlogbeat" {
drop { }
}
if [hostname] == "DOM1" {
drop { }
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
There is no field named type or hostname in your document, that's why your conditional is not working.
You have a field named agent.hostname with the value DOM1, there is also a field named host.hostname with the same value and there is a field named agent.type with the value winlogbeat, you need to use one of those fields in your conditional.
The following conditional should work.
if [agent][hostname] == "DOM1" {
drop {}
}