How to use drop in parser

So I have a problem

This is a sample log which I want to be dropped. So if the [message] contains

<13>Feb 8 17:53:21 10.45.1.9 CEF:0|ArcSight|ArcSight|8.4.3.9181.0|agent:045|File processing ended: Success|Low| eventId=72362662 start=1739017401162 end=1739017401162 mrt=1739017401162

so if the [message] contains agent:045 or agent:044, I want the whole log to be dropped.
How can I do this?

This is my parser :

filter {
    mutate {
        replace => {
            "src" => ""
            "dhost" => ""
            "src_present" => "false"
            "dhost_present" => "false"
            "status" => ""
            "event.idm.read_only_udm.metadata.vendor_name" => "Indusface"
            "event.idm.read_only_udm.metadata.product_name" => "WAF"
            "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }

    grok {
        match => {
            "message" => ["CEF:%{GREEDYDATA}src=%{IP:src}"]
        }
        overwrite => ["src"]
        on_error => "src_extraction_failed"
    }

    grok {
        match => {
            "message" => ["cs4=%{HOSTNAME:dhost}"]
        }
        overwrite => ["dhost"]
        on_error => "dhost_extraction_failed"
    }

    if [src] not in ["", "null", "None"] {
        mutate {
            replace => {
                "src_present" => "true"
            }
        }

        mutate {
            merge => {
                "event.idm.read_only_udm.principal.ip" => "src"
            }
            on_error => "principal_ip_not_set"
        }
    }

    if [dhost] not in ["", "null", "None"] {
        mutate {
            replace => {
                "dhost_present" => "true"
            }
        }

        mutate {
            replace => {
                "event.idm.read_only_udm.target.hostname" => "%{dhost}"
            }
            on_error => "destinationHost_label_empty"
        }
    }

    if [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT" {
        if [src_present] != "false" and[dhost_present] != "false" {
            mutate {
                replace => {
                    "event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
                }
            }
        }
    }

    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

can anyone help?
@bsalvatore ?

Page 1 / 1

There are many changes, I suspect, you should make to the conf file. First you should parse the CEF variables in the grok. Please take a look at this modified version and make necessary changes. I left statedump so you can see the variable values to debug and should be removed before submitting to prod.

filter {
    mutate { 
        replace => {
            "src" => ""
            "device_event_class_id" => ""
            "dhost" => ""
            "src_present" => "false"
            "dhost_present" => "false"
            "status" => ""
            "event.idm.read_only_udm.metadata.vendor_name" => "Indusface"
            "event.idm.read_only_udm.metadata.product_name" => "WAF"
            "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }   
    }   
    
    grok {
        match => { 
          "message" => [
      "<%{INT}>%{SYSLOGTIMESTAMP:ts} %{DATA} CEF: %{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|%{DATA:event_name}\\\\|%{INT:severity}\\\\|%{GREEDYDATA:cef_extension}"
      "(?:<%{INT}>|%{DATA:temp_data})CEF:%{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|(?:%{DATA:event_name}\\\\||)(?P<severity>Medium|MEDIUM|Low|LOW|HIGH|High|Unknown|Very-High|%{INT})(?:\\\\||)%{GREEDYDATA:cef_extension}",
      "CEF: %{TIMESTAMP_ISO8601:timestamp} \\\\| %{GREEDYDATA:kv_data}"
      "(?:<%{INT}>|%{DATA})CEF %{DATA} %{INT:version}\\\\|%{DATA:device_vendor}\\\\|%{DATA:device_product}\\\\|%{DATA:device_version}\\\\|%{DATA:device_event_class_id}\\\\|(?:%{DATA:event_name}\\\\||)(?P<severity>Medium|MEDIUM|Low|LOW|HIGH|High|Unknown|%{INT})(?:\\\\||)%{GREEDYDATA:cef_extension}"
      "CEF:%{GREEDYDATA}src=%{IP:src}"
          ] 
        }
        overwrite => ["src","version","device_event_class_id", "event_name","severity", "temp_data","timestamp","kv_data","device_version","cef_extension","device_vendor","device_product"]
        on_error => "src_extraction_failed"
    }   
            
    statedump{} 
    if [device_event_class_id] in ("agent:044","agent:045") {
      drop{     
        tag => "TAG_NO_SECURITY_VALUE"
      } 
    }

    grok {
        match => {
            "message" => ["cs4=%{HOSTNAME:dhost}"]
        }
        overwrite => ["dhost"]
        on_error => "dhost_extraction_failed"
    }

    if [src] not in ["", "null", "None"] {
        mutate {
            replace => {
                "src_present" => "true"
            }
        }

        mutate {
            merge => {
                "event.idm.read_only_udm.principal.ip" => "src"
            }
            on_error => "principal_ip_not_set"
        }
    }

    if [dhost] not in ["", "null", "None"] {
        mutate {
            replace => {
                "dhost_present" => "true"
            }
        }

        mutate {
            replace => {
                "event.idm.read_only_udm.target.hostname" => "%{dhost}"
            }
            on_error => "destinationHost_label_empty"
        }
    }
    if [event][idm][read_only_udm][metadata][event_type] == "GENERIC_EVENT" {
        if [src_present] != "false" and[dhost_present] != "false" {
            mutate {
                replace => {
                    "event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
                }
            }
        }
    }

    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded