Compare two datasets

counterf · April 23, 2018, 12:02am

The translate is not working.

I am using packetbeat to send network activity.

Here is my conf:

input section

input {
beats {
port => 5044
}
}

filter {
translate {
field => "dest.ip"
destination => "malicious_IP"
dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
override => true
}

translate {
field => "source.ip"
destination => "malicious_IP"
dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
override => true
}

}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}

I can see the logs coming, they appear in Kibana, but the translation just doesnt work.

Here is the content of the dictionary

"216.46.173.126": "true"
"180.179.174.219": "true"
"204.77.168.241": "true"
"65.39.197.164": "true"
"80.91.33.133": "true"
"84.208.15.12": "true"
"74.125.60.158": "true"
"8.8.8.8": "true"
"200.221.2.45": "true"
"186.232.248.40": "true"

The translate plugin is installed.

Any idea?