Skip to content

Commit

Permalink
Merge pull request #523 from Cargill/host_split_fix
Browse files Browse the repository at this point in the history 
adjusted host_split enrich
  • Loading branch information
@lyradc
lyradc authored Aug 16, 2024
2 parents c4f7891 + 43f200c commit b3129b8
Showing 1 changed file with 49 additions and 64 deletions.
113 changes: 49 additions & 64 deletions config/enrichments/09_host_split.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,122 +5,107 @@ filter {
}
}
else {
# [client][address] [client][ip] [client][domain]
# [client][address] [client][domain]
if [client][address] =~ "^.*?\..*?$" {
if [client][address] =~ "^\d+.\d+.\d+.\d+$" {
if [client][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[client][address]" => "(ip:)?(?<[client][ip]>.*)" }
tag_on_failure => "_clientaddress_grok_failure"
match => { "[client][address]" => "^(?<[client][tmp]>\d+.\d+.\d+.\d+)\.(?<[client][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure"
}
mutate {
remove_field => [ "[client][address]" ]
rename => { "[client][tmp]" => "[client][address]" }
}
}
else {
mutate {
add_field => { "[client][domain]" => "%{[client][address]}" }
} else if [client][address] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[client][address]" => "^(?<[client][tmp]>.*?)\.(?<[client][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure_2"
}
mutate {
gsub => [
"[client][address]", "^(.*?)\.(.*)$", "\1",
"[client][domain]", "^(.*?)\.(.*)$", "\2"
]
rename => { "[client][tmp]" => "[client][address]" }
}
}
}

# [server][address] [server][ip] [server][domain]
# [server][address] [server][domain]
if [server][address] =~ "^.*?\..*?$" {
if [server][address] =~ "^\d+.\d+.\d+.\d+$" {
if [server][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[server][address]" => "(ip:)?(?<[server][ip]>.*)" }
tag_on_failure => "_serveraddress_grok_failure"
match => { "[server][address]" => "^(?<[server][tmp]>\d+.\d+.\d+.\d+)\.(?<[server][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure"
}
mutate {
remove_field => [ "[server][address]" ]
rename => { "[server][tmp]" => "[server][address]" }
}
}
else {
mutate {
add_field => { "[server][domain]" => "%{[server][address]}" }
} else if [server][address] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[server][address]" => "^(?<[server][tmp]>.*?)\.(?<[server][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure_2"
}
mutate {
gsub => [
"[server][address]", "^(.*?)\.(.*)$", "\1",
"[server][domain]", "^(.*?)\.(.*)$", "\2"
]
rename => { "[server][tmp]" => "[server][address]" }
}
}
}

# [source][address] [source][ip] [source][domain]
# [source][address] [source][domain]
if [source][address] =~ "^.*?\..*?$" {
if [source][address] =~ "^\d+.\d+.\d+.\d+$" {
if [source][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[source][address]" => "(ip:)?(?<[source][ip]>.*)" }
tag_on_failure => "_sourceaddress_grok_failure"
match => { "[source][address]" => "^(?<[source][tmp]>\d+.\d+.\d+.\d+)\.(?<[source][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure"
}
mutate {
remove_field => [ "[source][address]" ]
rename => { "[source][tmp]" => "[source][address]" }
}
}
else {
mutate {
add_field => { "[source][domain]" => "%{[source][address]}" }
} else if [source][address] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[source][address]" => "^(?<[source][tmp]>.*?)\.(?<[source][domain]>.*?)$" }
tag_on_failure => "_logsourcesourcename_grok_failure_2"
}
mutate {
gsub => [
"[source][address]", "^(.*?)\.(.*)$", "\1",
"[source][domain]", "^(.*?)\.(.*)$", "\2"
]
rename => { "[source][tmp]" => "[source][address]" }
}
}
}

# [host][hostname] [host][ip] [host][domain]
# [host][hostname] [host][domain]
if [host][hostname] =~ "^.*?\..*?$" {
if [host][hostname] =~ "\d+.\d+.\d+.\d+" {
if [host][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[host][hostname]" => "(ip:)?(?<[host][ip]>.*)" }
tag_on_failure => "_hostname_grok_failure"
match => { "[host][hostname]" => "^(?<[host][tmp]>\d+.\d+.\d+.\d+)\.(?<[host][domain]>.*?)$" }
tag_on_failure => "_logsourcehostname_grok_failure"
}
mutate {
remove_field => [ "[host][hostname]" ]
rename => { "[host][tmp]" => "[host][hostname]" }
}
}
else {
mutate {
add_field => { "[host][domain]" => "%{[host][hostname]}" }
} else if [host][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[host][hostname]" => "^(?<[host][tmp]>.*?)\.(?<[host][domain]>.*?)$" }
tag_on_failure => "_logsourcehostname_grok_failure_2"
}
mutate {
gsub => [
"[host][hostname]", "^(.*?)\.(.*)$", "\1",
"[host][domain]", "^(.*?)\.(.*)$", "\2"
]
rename => { "[host][tmp]" => "[host][hostname]" }
}
}
}

# [log][source][hostname] [log][source][ip] [log][source][domain]
# [log][source][hostname] [log][source][domain]
if [log][source][hostname] =~ "^.*?\..*?$" {
if [log][source][hostname] =~ "\d+.\d+.\d+.\d+" {
if [log][source][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" {
grok {
match => { "[log][source][hostname]" => "(ip:)?(?<[log][source][ip]>.*)" }
match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\.(?<[log][source][domain]>.*?)$" }
tag_on_failure => "_logsourcehostname_grok_failure"
}
mutate {
remove_field => [ "[log][source][hostname]" ]
rename => { "[log][source][tmp]" => "[log][source][hostname]" }
}
}
else {
mutate {
add_field => { "[log][source][domain]" => "%{[log][source][hostname]}" }
} else if [log][source][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" {
grok {
match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>.*?)\.(?<[log][source][domain]>.*?)$" }
tag_on_failure => "_logsourcehostname_grok_failure_2"
}
mutate {
gsub => [
"[log][source][hostname]", "^(.*?)\.(.*)$", "\1",
"[log][source][domain]", "^(.*?)\.(.*)$", "\2"
]
rename => { "[log][source][tmp]" => "[log][source][hostname]" }
}
}
}
Expand Down

0 comments on commit b3129b8

Please sign in to comment.