I have a field name collision on “path”. Logstash is pushing into ES a field of “path” with the file path on disk to the log being monitored.
In smb_files.log, path refers to the path on disk of the file being written by smb. How would this best be resolved?
Yes, I am using json output.
We’re not really solving Erik’s problem by recommending a switch to json. If anything, it aggravates the situation as it will throw additional logs entry failures on one of the noisiest protocols analyzed.
This activity causes a parsing issue.
The field output from the smb protocol scripts will have to rewrite the field name. I’ve done this in the past with NB, but I don’t recall the exact details.
I’ll see what I can rundown from my notes.
Hi Erik,
It’s a very easy thing to do using logstash rewrite filter.
In our infrastructure we have a logstash pipeline that reads every bro files and adds a tag to them.
input {
file {
path => [ "/var/log/bro/logs/current/conn.log" ]
close_older => 30
start_position => beginning
tags => [ "bro", "bro_conn" ]
id => "input_bro_conn"
}
file {
path => [ "/var/log/bro/logs/current/dce_rpc.log" ]
close_older => 30
start_position => beginning
tags => [ "bro", "bro_dce_rpc" ]
id => "input_bro_dce_rpc"
}
[...]
Then you can define a rewrite like this:
filter {
if "bro_smb_files" in [tags] or "bro_smb_mapping" in [tags] {
mutate {
rename => { "path" => "smb_path" }
id => "normalize_bro_smb"
}
}