I'm trying to add the registered_domain processor to extract the registered domain from destination.address in my Fortinet firewall logs (e.g., extract d-zone.ca from
ns2-firewall.d-zone.ca).
Environment:
- Filebeat: 8.19.4
- Elasticsearch: (same version)
- Module: Fortinet firewall module
What I've tried:
-
Global processors in filebeat.yml - This doesn’t work because it appears that the field is not created yet.
processors:
- registered_domain:
field: destination.address
target_field: destination.registered_domain
ignore_missing: true
ignore_failure: true -
Module-level processors in fortinet.yml - Same error as above
module: fortinet
firewall:
enabled: true
processors:
- registered_domain:
field: destination.address
target_field: destination.registered_domain
- Module-level pipeline parameter - I added a pipeline and tried to get the fortinet module to use it, but that didn’t work either.
module: fortinet
firewall:
enabled: true
pipeline: fortinet-firewall-custom
It seems that the destination.address field doesn't exist when Filebeat processes the data. It's created by the Elasticsearch ingest pipeline (filebeat-8.19.4-fortinet-firewall-traffic) which
renames fortinet.firewall.dstname → destination.address.
This means Filebeat processors run too early - the field doesn't exist yet. I tried accessing fortinet.firewall.dstname with the module processor, but it seems like that field doesn’t exist yet either. It must be created by ES, not filebeat.
What’s the best way to use this processor? Should I modify the ingest pipeline? If so, how?