Hi
I have this on my logstash.conf
input{
file {
path => "/tmp/tcpdump.out"
}
}
filter{
grok{
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} IP %{IP:srcIP}.%{INT:srcPort} > %{IP:destIP}.%{INT:destPort}"]
named_captures_only => true
remove_field => [ "command", "host", "@version", "message", "@timestamp"]
}
}
output {
elasticsearch {
hosts => "elastic:9200"
index => "tcpdump-%{+YYYY-MM-dd}"
}
stdout { codec => rubydebug }
It is work ok but i want to further break down the message
so i can analyse based on ip address , source ort and destination which i cannot at the moment at the message is displayed as a whole, I understand i miss some configuration but i do not know what ... Really appreciate if someone would help or give info .
this is on my kibana interface with more info
