Filter not working (Windows, im_file, acces.log)

[McCriddle]

Hi,

we are evaluation NLS right now.
After testing a few logs on a single server (using the vSphere OVF Template 2015r1.2), we moved now to a cluster / manual installation setup 2015r1.2b.


We import some Apache access.logs (custom format) from a Windows machine via nxlog.

The events get imported but NLS doesn't apply filters.

Example: (the exact same messages and filters are working on our single test machine)

Code: Select all

if 'apache_access_myformat' in [SourceModuleName]  {
	grok {
		match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
	}
	date {
		match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
	}
	mutate {
		replace => [ 'type', 'apache_access' ]
		 convert => [ 'bytes', 'integer' ]
		 convert => [ 'response', 'integer' ]
	}
}

Code: Select all

{
  "_index": "logstash-2015.02.12",
  "_type": "eventlog",
  "_id": "F9nXsdJMS3aoxyE9tvvNVg",
  "_score": null,
  "_source": {
    "EventReceivedTime": "2015-02-12 10:57:53",
    "SourceModuleName": "apache_access_myformat_app",
    "SourceModuleType": "im_file",
    "message": "10.2.102.8|192.168.131.185|-|[12/Feb/2015:10:57:52 +0100]|GET|/someFolder/|200|4|\"-\"|\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\"|our.vhost.local",
    "@version": "1",
    "@timestamp": "2015-02-12T09:57:53.683Z",
    "host": "192.168.131.185",
    "type": "eventlog"
  },
  "sort": [
    1423735073683,
    1423735073683
  ]
}

Thanks in advance for any ideas.
Mike

[McCriddle]

Hi,

we are trying to move from a single NLS test setup (via OVF 2015r1.2) to a cluster setup (manual installation 2015r1.2b).

Right now we got the problem that NLS doesn't apply the filters and just saves the events as they "arrive".

Example: (the exact same messages and filters work on our test setup)

Code: Select all

if 'apache_access_myformat' in [SourceModuleName]  {
	grok {
		match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
	}
	date {
		match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
	}
	mutate {
		replace => [ 'type', 'apache_access' ]
		 convert => [ 'bytes', 'integer' ]
		 convert => [ 'response', 'integer' ]
	}
}

Code: Select all

{
  "_index": "logstash-2015.02.12",
  "_type": "eventlog",
  "_id": "TJbTV-XmTluJyLFNrR3z8w",
  "_score": null,
  "_source": {
    "EventReceivedTime": "2015-02-12 11:18:54",
    "SourceModuleName": "apache_access_myformat_app",
    "SourceModuleType": "im_file",
    "message": "10.2.102.8|192.168.85.86|-|[12/Feb/2015:11:18:53 +0100]|GET|/customer/|200|2135|\"-\"|\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\"|my.vhost.local",
    "@version": "1",
    "@timestamp": "2015-02-12T10:18:54.662Z",
    "host": "192.168.85.86",
    "type": "eventlog"
  },
  "sort": [
    1423736334662,
    1423736334662
  ]
}

Thanks in advance for any suggestions.
Mike

[scottwilkerson]

Your filter is wrapped in

Code: Select all

if 'apache_access_myformat' in [SourceModuleName] 

However the item received is

Code: Select all

"SourceModuleName": "apache_access_myformat_app",

So the filter is not being applied.

[McCriddle]

Your filter is wrapped in

Code: Select all

if 'apache_access_myformat' in [SourceModuleName] 

However the item received is

Code: Select all

"SourceModuleName": "apache_access_myformat_app",

So the filter is not being applied.

Yeah, but it should be applied as 'apache_access_myformat' is in "apache_access_myformat_app"

and the same filter is working fine in the singe 2015R1.2 NLS

[McCriddle]

okay,

update on this one: it's working as expected without any change.

seems NLS just need a night untill it took the configuration.

[scottwilkerson]

Glad it's working.

okay,

update on this one: it's working as expected without any change.

seems NLS just need a night untill it took the configuration.

The "in" conditional means it is in the list of all possible values for [SourceModuleName], you could accomplish what you originally intended using a wildcard with a *, such as

Code: Select all

if 'apache_access_myformat*' in [SourceModuleName]

[McCriddle]

Hi again,

unfortunately our filters still ain't working as expected.

they don't seem to be triggered reliable.
events of the same type from another host get filtered correctly. (and i expect that these examples eventually get filtered correctly after a while without further action)

Anybody has a hint what might be wrong in our setup?

thanks in advance
Mike

here is an example event:

Code: Select all

{
  "_index": "logstash-2015.02.24",
  "_type": "eventlog",
  "_id": "GQkKhvz0Qhu3I6swxsQ2qA",
  "_score": null,
  "_source": {
    "EventReceivedTime": "2015-02-24 10:15:16",
    "SourceModuleName": "apache_access_custom_asp",
    "SourceModuleType": "im_file",
    "message": "1.2.3.4|192.168.131.186|-|[24/Feb/2015:10:15:16 +0100]|GET|/somerequest|200|32178|\"-\"|\"Java/1.7.0_55\"|my.vhost.local",
    "@version": "1",
    "@timestamp": "2015-02-24T09:15:16.855Z",
    "host": "192.168.131.186",
    "type": "eventlog"
  },
  "sort": [
    1424769316855,
    1424769316855
  ]
}

here is our complete filter:

Code: Select all

# 
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 24 Feb 2015 10:19:09 +0100
#

#
# Global filters
#

filter {
    if [program] == 'apache_access' {
        grok {
            match => [ 'message', '%{COMBINEDAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
    
    if 'apache_access_common' in [SourceModuleName] {
        grok {
            match => [ 'message', '%{COMMONAPACHELOG}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
    }
    
    if [SourceModuleName] == 'apache_access_custom_app' {
        grok {
            break_on_match => false
            match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
            match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
        geoip {
              source => 'clientip'
        }
    }
    
    if [SourceModuleName] == 'apache_access_custom_asp' {
        grok {
            break_on_match => false
            match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
            match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
        geoip {
              source => 'clientip'
        }
    }
    
    if 'apache_error' in [SourceModuleName] {
        grok {
            match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] %{GREEDYDATA:errmsg}']
        }
        date {
            match => [ 'timestamp', 'EEE MMM dd HH:mm:ss.SSSSSS yyyy' ]
        }
        mutate {
            replace => [ 'type', 'apache_error' ]
        }
    }
    if [SourceModuleType] == 'im_mseventlog' {
        mutate {
            add_field => [ 'Channel', '%{FileName}' ]
        }
    }
}

#
# Local filters
#

[scottwilkerson]

I'm not 100% sure what you are going for, but I have a feeling you want to perform a second grok match if the request field contains a word. I believe this would be the correct way to do that

Code: Select all

if [SourceModuleName] == 'apache_access_custom_asp' {
        grok {
            match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
        }
        grok {
            match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
        }
        date {
            match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
        }
        mutate {
            replace => [ 'type', 'apache_access' ]
             convert => [ 'bytes', 'integer' ]
             convert => [ 'response', 'integer' ]
        }
        geoip {
              source => 'clientip'
        }
    }

[McCriddle]

thanks for your reply.

the problem wasn't the filter, but our instances in the NLS-cluster were not processing the events identically. When sent to "server1" the filter worked right, on "server2" didn't get applied at all.

I re-setup NLS with a single instance and don't have these problems anymore. (yet)

We will work out our filters on a single instance now and look into the cluster setup later on.

regards
Mike

[scottwilkerson]

Glad it is working on the new setup.