Compare two datasets

counterf · April 23, 2018, 12:02am

The translate is not working.

I am using packetbeat to send network activity.

Here is my conf:

input section

input {
beats {
port => 5044
}
}

filter {
translate {
field => "dest.ip"
destination => "malicious_IP"
dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
override => true
}

translate {
field => "source.ip"
destination => "malicious_IP"
dictionary_path => '/opt/logstash/maliciousIPV4.yaml'
override => true
}

}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}

I can see the logs coming, they appear in Kibana, but the translation just doesnt work.

Here is the content of the dictionary

"216.46.173.126": "true"
"180.179.174.219": "true"
"204.77.168.241": "true"
"65.39.197.164": "true"
"80.91.33.133": "true"
"84.208.15.12": "true"
"74.125.60.158": "true"
"8.8.8.8": "true"
"200.221.2.45": "true"
"186.232.248.40": "true"

The translate plugin is installed.

Any idea?

Topic		Replies	Views
ELK index field comparison Elasticsearch	3	391	August 17, 2018
Match Field Contents Kibana	3	721	July 6, 2017
I need advice on this new use case - IOC Elasticsearch	4	1410	September 25, 2017
Blacklisted domains Logstash	4	343	February 11, 2021
Match against blacklist Logstash	8	2053	July 6, 2017

Compare two datasets

input section

Related topics