Convert text value to IP

frank_rib · June 27, 2021, 12:06pm

Hello every body,

I am parsing the wallix logs by using the kv plugin

kv{
	source => "syslog_message"
	value_split => "=\""
	field_split => "\"\s"
}

As results i get all the output as text as you can see bellow:

> {
>   "mappings": {
>     "_doc": {
>       "properties": {
>         "@timestamp": {
>           "type": "date"
>         },
>         "@version": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "command_name": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "destination": {
>           "properties": {
>             "address": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "ip": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "port": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "destination_address": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "destination_ip": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "destination_port": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "ecs": {
>           "properties": {
>             "version": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "event": {
>           "properties": {
>             "category": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "kind": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "name": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "outcome": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "type": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "file_descriptor": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "host": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "log": {
>           "properties": {
>             "logger": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "original": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "parsed": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "path": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "process": {
>           "properties": {
>             "command_line": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "pid": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "pwd": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "source": {
>           "properties": {
>             "ip": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             },
>             "port": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "source_ip": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "source_port": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "tags": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "timestamp": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "tty": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "user": {
>           "properties": {
>             "name": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "user_sudo": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallix": {
>           "properties": {
>             "data": {
>               "type": "text",
>               "fields": {
>                 "keyword": {
>                   "type": "keyword",
>                   "ignore_above": 256
>                 }
>               }
>             }
>           }
>         },
>         "wallix(1)": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixFile": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixchannel_id": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixduration": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixinfos": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixmethod": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixnetResult": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixport": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixpubkey_hash": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixpubkey_type": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixreason": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixresult": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixstate": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixstatus": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixstream": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         },
>         "wallixtpkt": {
>           "type": "text",
>           "fields": {
>             "keyword": {
>               "type": "keyword",
>               "ignore_above": 256
>             }
>           }
>         }
>       }
>     }
>   }
> }

I need to convert the IP from text to IP and the source and destination port to a number, can any one help me to resolve the issue ( examples will be appreciated).

Best regards,

Sandeep_Raju · June 27, 2021, 6:00pm

Not sure about altering logs , but know how to custom display in kibana.
I know how to do in Kibana.

One way is by using Static lookup option in index pattern of fields and in lookup you can replace text to IP value you want.Same way for source and destination port.
Other way is to write a new scripted field which basically returns your Ip value instead of text value.

warkolm · June 27, 2021, 10:27pm

You will need to create the index + mapping before you ingest data, or use an index template, to make sure it's setting things correctly.

system · July 25, 2021, 10:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.