Hi all,
I'm parsing logs that contains src/dst port information. Now for every port I want to enrich the data by adding a description field. To make it clear:
I think how I could do that manually with mutate. But ideally I'd like to either load a csv file (port,description) and do the matching automatically or is there anything that already does that so I don't reinvent the wheel.
You can use the translate plugin.
Eg.
filter {
if [port] {
translate {
id => "translate port to description"
field => "port"
destination => "port_description"
dictionary => [
"22","SSH Traffic",
"80","HTTP Traffic",
"9999","Whatever traffic"
]
}
}
}
if you want it to be externally mapped with a file that you can maintain, do:
filter {
if [port] {
translate {
id => "translate port to description"
field => "port"
destination => "port_description"
dictionary_path => "/etc/logstash/conf.d/lookup_tables/your_ports.json"
fallback => "didnt_work"
}
}
}
{"22":"SSH Traffic","80":"HTTP Traffic"}
Awesome thanks a lot for the direction I wasn't aware of the translate plugins.
I'm basically modifying the linux standard port definition in /etc/services but I realize I'll need 2 value to match the description:
"22, TCP: SSH"
Looking at the doc of the plugin this seems to be the correct format:
20 6: ftp-data
21 6: ftp
21 17: fsp
22 6: ssh
23 6: telnet
25 6: smtp
37 6: time
37 17: time
(where 6 is tcp and 17 UDP). I'll test it and make sure it works and I'll update the tag and post the file in case someone might find it useful.
Thanks @pastechecker !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.