The following plugin looks up if a value in a specified list exists and then allows the addition of a record to indicate if found. Introduced in version 1.8.4

Configuration Parameters

The plugin supports the following configuration parameters
The single value file that Fluent Bit will use as a lookup table to determine if the specified lookup_key exists
The specific key to look up and determine if it exists, supports record accessor
The record to add if the lookup_key is found in the specified file. Note you may add multiple record parameters.
Set the check mode. exact and partial are supported. Default : exact.
Print to stdout the elapseed query time for every matched record. Default: false
Compare strings by ignoring case. Default: false

Example Configuration

name tail
tag test1
path test1.log
read_from_head true
parser json
name checklist
match test1
file ip_list.txt
lookup_key $remote_addr
record ioc abc
record badurl null
log_level debug
name stdout
match test1
In the following configuration we will read a file test1.log that includes the following values
{"remote_addr": true, "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
{"remote_addr": "", "ioc":"false", "url":"","badurl":"no"}
Additionally, we will use the following lookup file which contains a list of malicious IPs (ip_list.txt)
In the configuration we are using $remote_addr as the lookup key and is malicious. This means the record we would output for the last record would look like the following
{"remote_addr": "", "ioc":"abc", "url":"","badurl":"null"}