Page 1 of 1
Wrong filter?
Posted: Sun Apr 11, 2021 3:54 am
by rhassing
Hello,
What could be wrong with the following filter:
I have a logentry:
Code: Select all
VMM01 wms[6466]: <126005> <6466> <WARN> <VMM01 10.10.32.11> |ids| Interfering AP: The system classified an access point (BSSID 00:df:03:00:00:26 and SSID MB WLAN 61619 on CHANNEL 6) as interfering. Additional Info: Detector-AP-Name:AP-03-AP135; Detector-AP-MAC:00:5d:00:48:00:c0; Detector-AP-Radio:2.
And my filter looks like this:
Code: Select all
if [message] =~ /VMM01.*\|ids\|.*/ {
grok {
match => [ 'message', 'VMM01.*\|ids\| %{GREEDYDATA:dis-type}: %{GREEDYDATA:data}' ]
}
mutate {
replace => [ 'type', 'aruba-ids' ]
}
}
If I apply this filter all logging seems to be dropped for this logsource.
Best regards,
Re: Wrong filter?
Posted: Mon Apr 12, 2021 9:05 am
by mcapra
Re: Wrong filter?
Posted: Mon Apr 12, 2021 11:24 am
by rhassing
That replacement is working for this filter:
Code: Select all
if [type] == 'syslog' and [message] =~ /.*Insight.*/ {
grok {
match => [ 'message', '.*Insight.*Auth.Username=%{USERNAME:user},Auth.Protocol=%{GREEDYDATA:protocol},Auth.NAS-IP-Address=%{IP:nas-ip},CppmNode.CPPM-Node=%{IP:cppm-node},Auth.Login-Status=%{INT:status},Auth.Service=%{GREEDYDATA:service},Auth.Roles=%{GREEDYDATA:role},Auth.Enforcement-Profiles=%{GREEDYDATA:profile}.*' ]
}
mutate {
replace => [ 'type', 'clearpass' ]
}
}
Re: Wrong filter?
Posted: Mon Apr 12, 2021 11:48 am
by ssax
I labbed it up with your exact ones and it's working properly on mine.
Please PM me a copy of your profile, you can download it from Admin > System Status by clicking the Download System Profile button.
Re: Wrong filter?
Posted: Mon Apr 12, 2021 12:05 pm
by rhassing
Very strange, I re applied the same filter and now it's working.
Not sure what went wrong the other day...
Re: Wrong filter?
Posted: Tue Apr 13, 2021 10:41 am
by benjaminsmith
Hi Rob,
Glad to hear it's working now.
We'll go ahead and close this post, but feel free to open another if you have any new questions.