Fluent Bit: Official Manual
SlackGitHubDiscussionsCommunity Meetings
Search…
1.9
Fluent Bit v1.9 Documentation
About
What is Fluent Bit?
A Brief History of Fluent Bit
Fluentd & Fluent Bit
License
Concepts
Key Concepts
Buffering
Data Pipeline
Installation
Getting Started with Fluent Bit
Upgrade Notes
Supported Platforms
Requirements
Sources
Linux Packages
Docker
Containers on AWS
Amazon EC2
Kubernetes
macOS
Windows
Yocto / Embedded Linux
Administration
Configuring Fluent Bit
Security
Buffering & Storage
Backpressure
Scheduling and Retries
Networking
Memory Management
Monitoring
Dump Internals / Signal
HTTP Proxy
Local Testing
Validating your Data and Structure
Running a Logging Pipeline Locally
Data Pipeline
Pipeline Monitoring
Inputs
Parsers
Filters
AWS Metadata
CheckList
Expect
GeoIP2 Filter
Grep
Kubernetes
Lua
Parser
Record Modifier
Modify
Multiline
Nest
Nightfall
Rewrite Tag
Standard Output
Throttle
Tensorflow
Outputs
Stream Processing
Introduction to Stream Processing
Overview
Changelog
Getting Started
Fluent Bit for Developers
C Library API
Ingest Records Manually
Golang Output Plugins
Developer guide for beginners on contributing to Fluent Bit
Powered By GitBook
CheckList
The following plugin looks up if a value in a specified list exists and then allows the addition of a record to indicate if found. Introduced in version 1.8.4

Configuration Parameters

The plugin supports the following configuration parameters
Key
Description
file
The single value file that Fluent Bit will use as a lookup table to determine if the specified lookup_key exists
lookup_key
The specific key to look up and determine if it exists, supports record accessor
record
The record to add if the lookup_key is found in the specified file. Note you may add multiple record parameters.
mode
Set the check mode. exact and partial are supported. Default : exact.
print_query_time
Print to stdout the elapseed query time for every matched record. Default: false
ignore_case
Compare strings by ignoring case. Default: false

Example Configuration

1
[INPUT]
2
name tail
3
tag test1
4
path test1.log
5
read_from_head true
6
parser json
7
​
8
[FILTER]
9
name checklist
10
match test1
11
file ip_list.txt
12
lookup_key $remote_addr
13
record ioc abc
14
record badurl null
15
log_level debug
16
​
17
[OUTPUT]
18
name stdout
19
match test1
Copied!
In the following configuration we will read a file test1.log that includes the following values
1
{"remote_addr": true, "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
2
{"remote_addr": "7.7.7.2", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
3
{"remote_addr": "7.7.7.3", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
4
{"remote_addr": "7.7.7.4", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
5
{"remote_addr": "7.7.7.5", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
6
{"remote_addr": "7.7.7.6", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
7
{"remote_addr": "7.7.7.7", "ioc":"false", "url":"https://badurl.com/payload.htm","badurl":"no"}
Copied!
Additionally, we will use the following lookup file which contains a list of malicious IPs (ip_list.txt)
1
1.2.3.4
2
6.6.4.232
3
7.7.7.7
Copied!
In the configuration we are using $remote_addr as the lookup key and 7.7.7.7 is malicious. This means the record we would output for the last record would look like the following
1
{"remote_addr": "7.7.7.7", "ioc":"abc", "url":"https://badurl.com/payload.htm","badurl":"null"}
Copied!
Previous
AWS Metadata
Next
Expect
Last modified 1mo ago
Export as PDF
Copy link
Contents
Configuration Parameters
Example Configuration