Azure NSG Integration help

Ameer_Mukadam · November 23, 2020, 10:15am

Hi,
I am trying to integrate Azure NSG Logs into Elastic, I have done 80% but there is 1 field is proving a little difficult for me and it has all the important flow information.
Each log event contaains 5 flows information it currently under a single field so I would like to split each of them in there own event and then dissect to extract the flow information, each tuple begins with datetime, srcip, dstip, srcport,dstport,etc
but first i need to somehow seperate them

Ameer_Mukadam · November 23, 2020, 10:19am

My current logstash configuration looks like this which of course isn't correct

input {
  pipeline { address => intel }
}

filter {
  split {
field => "[records]"
  }
  split {
field => "[records][properties][flows]"
  }
  split {
field => "[records][properties][flows][flows]"
  }
#  dissect {
#    mapping => {
#      "[records][properties][flows][flows][flowTuples]" => '%{time},%{srcaddr},%{dstaddr},%{srcport},%{dstport},%{protocol},%{direction},%{action},%{state},%{srcpackets},%{srcbytes},{dstpackets},%{dstbytes}'
#    }
#  }
  mutate {
    split => { "[records][resourceId]" => "/"}
    add_field => {
           "Subscriptions" => "%{[records][resourceId][2]}"
           "ResourceGroup" => "%{[records][resourceId][4]}"
           "NetworkSecurityGroup" => "%{[records][resourceId][8]}"
            }
    convert => {"Subscriptions" => "string"}
    convert => {"ResourceGroup" => "string"}
    convert => {"NetworkSecurityGroup" => "string"}
    split => { "[records][properties][flows][flows][flowTuples]" => ","}
    add_field => {
           "unixtimestamp" => "%{[records][properties][flows][flows][flowTuples][0]}"
           "srcIp" => "%{[records][properties][flows][flows][flowTuples][1]}"
           "destIp" => "%{[records][properties][flows][flows][flowTuples][2]}"
           "srcPort" => "%{[records][properties][flows][flows][flowTuples][3]}"
           "destPort" => "%{[records][properties][flows][flows][flowTuples][4]}"
           "protocol" => "%{[records][properties][flows][flows][flowTuples][5]}"
           "trafficflow" => "%{[records][properties][flows][flows][flowTuples][6]}"
           "traffic" => "%{[records][properties][flows][flows][flowTuples][7]}"
            }
    convert => {"unixtimestamp" => "integer"}
  }
  date{
  match => ["unixtimestamp", "UNIX"]
  }
}


output {

system · December 21, 2020, 10:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.