Wrong filter?

[rhassing]

Hello,

What could be wrong with the following filter:
I have a logentry:

Code: Select all

VMM01 wms[6466]: <126005> <6466> <WARN> <VMM01 10.10.32.11> |ids| Interfering AP: The system classified an access point (BSSID 00:df:03:00:00:26 and SSID MB WLAN 61619 on CHANNEL 6) as interfering. Additional Info: Detector-AP-Name:AP-03-AP135; Detector-AP-MAC:00:5d:00:48:00:c0; Detector-AP-Radio:2.

And my filter looks like this:

Code: Select all

if [message] =~ /VMM01.*\|ids\|.*/ {
   grok {
        match => [ 'message', 'VMM01.*\|ids\| %{GREEDYDATA:dis-type}: %{GREEDYDATA:data}' ]
   }
   mutate {
        replace => [ 'type', 'aruba-ids' ]
   }
}

If I apply this filter all logging seems to be dropped for this logsource.

Best regards,

[mcapra]

I think that's incorrect syntax for a replace step:
https://www.elastic.co/guide/en/logstas ... te-replace

[rhassing]

That replacement is working for this filter:

Code: Select all

if [type] == 'syslog' and [message] =~ /.*Insight.*/ {
   grok {
        match => [ 'message', '.*Insight.*Auth.Username=%{USERNAME:user},Auth.Protocol=%{GREEDYDATA:protocol},Auth.NAS-IP-Address=%{IP:nas-ip},CppmNode.CPPM-Node=%{IP:cppm-node},Auth.Login-Status=%{INT:status},Auth.Service=%{GREEDYDATA:service},Auth.Roles=%{GREEDYDATA:role},Auth.Enforcement-Profiles=%{GREEDYDATA:profile}.*' ]
   }
   mutate {
        replace => [ 'type', 'clearpass' ]
   }
}

[ssax]

I labbed it up with your exact ones and it's working properly on mine.

Please PM me a copy of your profile, you can download it from Admin > System Status by clicking the Download System Profile button.

[rhassing]

Very strange, I re applied the same filter and now it's working.
Not sure what went wrong the other day...

[benjaminsmith]

Hi Rob,

Glad to hear it's working now.

We'll go ahead and close this post, but feel free to open another if you have any new questions.