Elasticsearch Mapping to ECS

bn1980 · October 5, 2020, 1:37am

I have logstash creating a daily index
index => "logstash-suricata-%{+YYYY.MM.dd}"

In order to create a mapping i am using a template which is assigned in logstash config
template => "/usr/local/etc/logstash/suricata_template.json"

Is this the correct way to do mapping?

How do I map fields to the Elastic Common Schema (ECS) ?

Please

logstash.conf

input {
  redis {
    host => "192.168.188.154"
    data_type => "list"
    key => "suricata"
    codec => "json"
    threads => 12
    type => "SuricataIDPS"
  }
}
filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
  if [src_ip] {
    geoip {
      source => "src_ip"
      target => "src_geoip"
    }
  }
  if [dest_ip] {
    geoip {
      source => "dest_ip"
      target => "dest_geoip"
    }
  }
}
output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "logstash-suricata-%{+YYYY.MM.dd}"
    template => "/usr/local/etc/logstash/suricata_template.json"
    template_overwrite => true
  }
}

suricata_template.json

{
  "template" : "logstash-suricata-*",
  "settings" : {
    "index.refresh_interval" : "5s",
    "number_of_replicas": 0,
    "number_of_shards": 1
},
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : false, "norms" : false},
      "dynamic_templates" : [ {
        "double_fields" : {
          "match" : "*",
          "match_mapping_type" : "double",
          "mapping" : { "type" : "double"}
        }
      }, {
        "long_fields" : {
          "match" : "*",
          "match_mapping_type" : "long",
          "mapping" : { "type" : "long", "doc_values" : true }
        }
      }, {
        "date_fields" : {
          "match" : "*",
          "match_mapping_type" : "date",
          "mapping" : { "type" : "date", "doc_values" : true }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date", "doc_values" : true },
        "@version": { "type": "text", "index": false },
        "dest_geoip"  : {
          "type" : "object",
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip", "doc_values" : true },
            "location" : { "type" : "geo_point", "doc_values" : true },
            "latitude" : { "type" : "double", "doc_values" : true },
            "longitude" : { "type" : "double", "doc_values" : true }
          }
        },
        "src_geoip"  : {
          "type" : "object",
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip", "doc_values" : true },
            "location" : { "type" : "geo_point", "doc_values" : true },
            "latitude" : { "type" : "double", "doc_values" : true },
            "longitude" : { "type" : "double", "doc_values" : true }
          }
        }
      }
    }
  }

system · November 2, 2020, 1:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to parse mapping [_default_]: A dynamic template must be defined with a name Logstash	5	1628	September 29, 2017
Failed to parse mapping [_default_]: A dynamic template must be defined with a name Logstash Elasticsearch	1	1153	October 30, 2017
Mapping using Logstash Elasticsearch	4	1153	May 12, 2020
Trouble with template and field mapping Elasticsearch	3	593	July 5, 2017
Logstash injecting messages using Elasticsearch mapping template Elasticsearch	2	731	July 5, 2017

Elasticsearch Mapping to ECS

Related topics