Cisco TCPDUMP

mhalatuituia · April 20, 2018, 9:18am

Hi
I have this on my logstash.conf

input{
file {
path => "/tmp/tcpdump.out"
}
}

filter{
grok{
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} IP %{IP:srcIP}.%{INT:srcPort} > %{IP:destIP}.%{INT:destPort}"]
named_captures_only => true
remove_field => [ "command", "host", "@version", "message", "@timestamp"]
}

}
output {
elasticsearch {
hosts => "elastic:9200"
index => "tcpdump-%{+YYYY-MM-dd}"
}
stdout { codec => rubydebug }

It is work ok but i want to further break down the message

so i can analyse based on ip address , source ort and destination which i cannot at the moment at the message is displayed as a whole, I understand i miss some configuration but i do not know what ... Really appreciate if someone would help or give info .

this is on my kibana interface with more info

magnusbaeck · April 23, 2018, 8:43pm

Have you looked into the grok and dissect filters? Or, for that matter, Packetbeat?

system · May 21, 2018, 8:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing Syslog with Logstash Grock Filter isn't working with Kibana Logstash	3	379	August 14, 2021
GROK filter is not parsing the windows firewall logs for ICMP traffic Logstash	7	969	May 18, 2020
Logstash Filter help - Newbie question Logstash	6	315	February 17, 2022
Logstash with TCP Input but Error Logstash	1	752	March 28, 2020
Filter Sonicwall Logstash Logstash	1	812	July 20, 2020

Cisco TCPDUMP

Related topics