You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi.
I'm using the alerting via mail realized by configuring an additional output for email at the logstash.conf file. The output via mail's filtered via an if clause searching for a tag (as mentioned before at another discussions).
Due to a running tpot, the system reports a ciscoasa attack without a source IP each x-days as you know.
So I want to expand my if cause with the check of empty IP source in expectation to report just real attacks on ports by adding "and not" or something like that. I'm sorry, I'm not a programmer, just able to read some codes basically.
I did realize the output via email with following if clause successfully:
if "shouldmail" in [tags] {
email {
My tryout to avoid sending mails at the mentioned ciscoasa events without source ip is by expanding the if clause in this way:
if "shouldmail" in [tags] and "src_ip" != "" {
email {
But it won't work.
Do you have an idea for the correct syntax?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi.
I'm using the alerting via mail realized by configuring an additional output for email at the logstash.conf file. The output via mail's filtered via an if clause searching for a tag (as mentioned before at another discussions).
Due to a running tpot, the system reports a ciscoasa attack without a source IP each x-days as you know.
So I want to expand my if cause with the check of empty IP source in expectation to report just real attacks on ports by adding "and not" or something like that. I'm sorry, I'm not a programmer, just able to read some codes basically.
I did realize the output via email with following if clause successfully:
if "shouldmail" in [tags] {
email {
My tryout to avoid sending mails at the mentioned ciscoasa events without source ip is by expanding the if clause in this way:
if "shouldmail" in [tags] and "src_ip" != "" {
email {
But it won't work.
Do you have an idea for the correct syntax?
Thanks a lot for your kind asistance.
Beta Was this translation helpful? Give feedback.
All reactions