Test Logstash Pipelines/Filters Before Implementation


Use case:

Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases.

Logstash configuration & testing:

Suppose that we have the following log files representing both cases described above:

[root@localhost logstashfilter]# cat multivaluewarn.json

{"waf": {"ver": "2.0","warnRules": "3000030;3000057;950001;950109;959073;973335;981173;981244;981318","denyMsg": "Anomaly Score Exceeded for SQL Injection","denyActions": "3","warnMsg": "Basic SQL Authentication Bypass Attempts 3/3;Cross-site Scripting (XSS) common keywords;SQL Injection Attack;Multiple URL Encoding Detected;SQL Injection Attack;IE XSS Filters - Attack Detected;Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded;Basic SQL Authentication Bypass Attempts 1/3;SQL Injection Attack: Common Injection Testing Detected"}} 
[root@localhost logstashfilter]# cat singlevaluewarn.json 
{"waf": {"ver": "2.0","warnRules": "681984","policy": "api_89894","warnMsg": "Alert rq without DEVICEID header","warnTags": "DEVICEID_Detection","warnActions": "2"}}

Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of multiple warnings.

Translating the gathered information into a Logstash pipeline would result in:

input {
  stdin { codec => json }
}
filter {
  if ";" in [waf][warnMsg]{
    mutate {
      add_field =>  [ "wafWarningMSG", "multi warnings" ]
    }
  }
  else {
    mutate {
      add_field =>  [ "wafWarningMSG", "single" ]
    }
  }
}

Add the pipeline to a conf file (called it warningPipeline.conf ), then test and view the result using the Logastash binary with /usr/share/logstash/bin/logstash -f warningPipeline.config < multivaluewarn.json

The output shows a new field called wafWarningMSG with value multi warnings :

{
       "@timestamp" => 2022-09-20T13:46:13.355Z,
         "@version" => "1",
             "host" => "localhost.localdomain",
              "waf" => {
        "denyActions" => "3",
                "ver" => "2.0",
            "warnMsg" => "Basic SQL Authentication Bypass Attempts 3/3;Cross-site Scripting (XSS) common keywords;SQL Injection Attack;Multiple URL Encoding Detected;SQL Injection Attack;IE XSS Filters - Attack Detected;Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded;Basic SQL Authentication Bypass Attempts 1/3;SQL Injection Attack: Common Injection Testing Detected",
          "warnRules" => "3000030;3000057;950001;950109;959073;973335;981173;981244;981318",
            "denyMsg" => "Anomaly Score Exceeded for SQL Injection"
    },
    "wafWarningMSG" => "multi warnings"
}

Hope you find it useful and feel free to reach out for any questions 😀


Leave a Reply

Your email address will not be published. Required fields are marked *