How to use regex in Yaml file for Logstash Translate filter?
Question
I am trying to use the Logstash Translate Filter to enrich network data that bro is generating and that I'm ingesting into my ELK stack. For example, here is how I was enriching data manually:
translate {
field => "id.orig_h"
destination => "src_comp_name"
dictionary => [
"192.168.1.1", "Home_Router",
"192.168.1.150", "My_Laptop",
"192.168.1.210", "My_Desktop"
]
}
While this works, it doesn't scale for what I am going to eventually need it for. So I'm trying to move my dictionary to a yaml file and use regex to match IP addresses to assign them tags. So I edited my translate function to:
translate {
field => "id.orig_h"
destination => "src_comp_name"
dictionary_path => '/etc/logstash/config/compNames.yaml'
}
Below is the contents of roughly what I want to do in the yaml file:
'^192\.168\.1\.[1-2]$': "Home_Routers"
'^192\.168\.1\.1[0-9]{2}$': "Home_Laptops"
'^192\.168\.1\.2[0-9]{2}$': "Home_Desktops"
This would cause 192.168.1.1/2 to be tagged as routers, anything in the .100-199 range to be tagged as Home_Laptops, and anything from .200-255 to be tagged as "Home_Desktops" . I have tried multiple ways of using regex in the Yaml file, but I'm either getting errors like
"LogStash::Filters::Translate: can't convert Array into Hash when loading dictionary file at /etc/logstash/config/compNames.yaml"*
Or logstash is correctly starting but not tagging traffic that should be matching.
Any guidance out there on how to implement regex matching in a yaml file for data enrichment via Logstash Translate Filter?
1 answers
solution1
2 ACCPTED 2017-01-07 14:11:02
Add this to the translate function:
"exact" => true,
"regex" => true
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.