Elasticsearch Mapping to ECS

bn1980 · October 5, 2020, 1:37am

I have logstash creating a daily index
index => "logstash-suricata-%{+YYYY.MM.dd}"

In order to create a mapping i am using a template which is assigned in logstash config
template => "/usr/local/etc/logstash/suricata_template.json"

Is this the correct way to do mapping?

How do I map fields to the Elastic Common Schema (ECS) ?

Please

logstash.conf

input {
  redis {
    host => "192.168.188.154"
    data_type => "list"
    key => "suricata"
    codec => "json"
    threads => 12
    type => "SuricataIDPS"
  }
}
filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
  if [src_ip] {
    geoip {
      source => "src_ip"
      target => "src_geoip"
    }
  }
  if [dest_ip] {
    geoip {
      source => "dest_ip"
      target => "dest_geoip"
    }
  }
}
output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "logstash-suricata-%{+YYYY.MM.dd}"
    template => "/usr/local/etc/logstash/suricata_template.json"
    template_overwrite => true
  }
}

suricata_template.json

{
  "template" : "logstash-suricata-*",
  "settings" : {
    "index.refresh_interval" : "5s",
    "number_of_replicas": 0,
    "number_of_shards": 1
},
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : false, "norms" : false},
      "dynamic_templates" : [ {
        "double_fields" : {
          "match" : "*",
          "match_mapping_type" : "double",
          "mapping" : { "type" : "double"}
        }
      }, {
        "long_fields" : {
          "match" : "*",
          "match_mapping_type" : "long",
          "mapping" : { "type" : "long", "doc_values" : true }
        }
      }, {
        "date_fields" : {
          "match" : "*",
          "match_mapping_type" : "date",
          "mapping" : { "type" : "date", "doc_values" : true }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date", "doc_values" : true },
        "@version": { "type": "text", "index": false },
        "dest_geoip"  : {
          "type" : "object",
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip", "doc_values" : true },
            "location" : { "type" : "geo_point", "doc_values" : true },
            "latitude" : { "type" : "double", "doc_values" : true },
            "longitude" : { "type" : "double", "doc_values" : true }
          }
        },
        "src_geoip"  : {
          "type" : "object",
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip", "doc_values" : true },
            "location" : { "type" : "geo_point", "doc_values" : true },
            "latitude" : { "type" : "double", "doc_values" : true },
            "longitude" : { "type" : "double", "doc_values" : true }
          }
        }
      }
    }
  }

system · November 2, 2020, 1:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	746	March 2, 2021
Failed to parse mapping [_default_]: A dynamic template must be defined with a name Logstash	5	1626	September 29, 2017
Failed to parse mapping [_default_]: A dynamic template must be defined with a name Logstash Elasticsearch	1	1152	October 30, 2017
Mapping using Logstash Elasticsearch	4	1135	May 12, 2020
Logstash injecting messages using Elasticsearch mapping template Elasticsearch	2	731	July 5, 2017

Elasticsearch Mapping to ECS

Related Topics