@gian72 didn't find a solution yet
@warkolm, I am creating the index and the mapping like that:
the template:
PUT _template/firewall
{
"index_patterns": ["firewall-*"],
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1,
"index.lifecycle.name": "hot-warm-cold-delete-6months-policy",
"index.lifecycle.rollover_alias": "firewall"
},
"mappings": {
"properties": {
"event": {
"properties": {
"severity": {
"properties": {
"code": { "type": "integer"},
"name": { "type": "keyword"}
}
}
}
},
"confid": {"type": "integer" },
"slotlevel": {"type": "integer"},
"rule": {
"properties": {
"id": { "type": "integer"},
"name": {"type": "keyword" }
}
},
"user": {
"properties": {
"name": {"type": "keyword"}
}
},
"domain": {"type": "text"},
"source": {
"properties": {
"interface_name": {"type": "keyword"},
"ip":{ "type": "ip"},
"ip_reputation": {"type": "keyword"},
"port": {"type": "integer"},
"port_name": {"type": "keyword" },
"mac": {"type": "keyword"},
"nat": {
"properties":{
"ip": {"type": "ip"},
"port": {"type": "integer"}
}
}
}
},
"srcifname": {"type": "keyword"},
"network": {
"properties": {
"protocol": { "type": "keyword"}
}
},
"destination": {
"properties": {
"interface_name": {"type": "keyword"},
"ip": { "type": "ip"},
"ip_reputation": {"type": "keyword"},
"port": {"type": "integer"},
"port_name": {"type": "keyword"}
}
},
"dstifname": {"type": "text"},
"icmp": {
"properties": {
"type": { "type": "integer"},
"code": { "type": "integer"}
}
},
"proto": {"type": "keyword"},
"srcname": {"type": "keyword"},
"src": {
"properties": {
"continent": {"type": "keyword"},
"country": {"type": "text"}
}
},
"dstname": {"type": "keyword"},
"dst": {
"properties": {
"continent": {"type": "keyword"},
"country": {"type": "keyword"}
}
},
"origdst": {"type": "ip"},
"origdstport": {"type": "integer"},
"ipv": {"type": "integer"},
"action": {"type": "keyword"},
"msg": {"type": "text"},
"class": {"type": "text"},
"classification": {"type": "integer"},
"alarm": {
"properties": {
"id": {"type": "integer"}
}
},
"target": {"type": "keyword"},
"sensible": {"type": "integer"},
"repeat": {"type": "integer"},
"logtype": {"type": "keyword"},
"service": {"type": "keyword"},
"sent": {"type": "integer"},
"rcvd": {"type": "integer"},
"connection": {
"properties": {
"duration": {"type": "long"}
}
},
"group": {
"properties": {
"id": {"type": "integer"}
}
},
"op": {"type": "text"},
"result": {"type": "long"},
"arg": {"type": "text"},
"protocol": {"type": "keyword"},
"vulnid": {"type": "keyword"},
"product": {"type": "text"},
"detail": {"type": "text"},
"family": {"type": "keyword"},
"severity": {"type": "keyword"},
"solution": {"type": "keyword"},
"remote": {"type": "integer"},
"targetclient": {"type": "integer"},
"targetserver": {"type": "integer"},
"discovery": {"type": "text"},
"agentid": {"type": "integer"},
"contentpolicy": {"type": "integer"},
"mailruleid": {"type": "integer"},
"cnruleid": {"type": "integer"},
"remotenet": {"type": "ip"},
"localnet": {"type": "ip"},
"port": {"type": "integer"},
"ikev": {"type": "integer"},
"phase": {"type": "integer"},
"side": {"type": "text"},
"cookie_i": {"type": "text"},
"filename": {"type": "text"},
"virus": {"type": "text"},
"urlrule":{
"properties": {
"id": {"type": "integer"}
}
},
"cat_site": {"type": "text"},
"method": {"type": "keyword"},
"error": {"type": "integer"},
"address": {"type": "ip"},
"sessionid": {"type": "integer"}
}
}
}
the Index:
PUT firewall-000001
{
"aliases": {
"firewall": {
"is_write_index": true
}
}
}