Filebeat module netflow - modify netflow @timestamp by the current time

Bruno1 · January 30, 2020, 11:04am

Hello,

I have a problem, the netflow filebeat module keep the timestamp of inside the netflow packet. Here 1993-12-03..., but I want modify this value by the current time.

For now I have:

Blockquote
{
"@timestamp": "1993-12-03T19:05:37.626Z",
"@metadata": {
"beat": "filebeat",
[...]
"netflow": {
[...]
"timestamp": "1993-12-03T19:05:37.626Z"
[...]
}
[...]
Blockquote

But I want this output:

Blockquote
{
"@timestamp": "2020-01-30T12:03:00.626Z",
"@metadata": {
"beat": "filebeat",
[...]
"netflow": {
[...]
"timestamp": "1993-12-03T19:05:37.626Z"
[...]
}
[...]
Blockquote

If someone have an idea for change the value of @timestamp by the operating system time ?

Thanks

adrisr · January 30, 2020, 5:41pm

So currently Filebeat reads the date on the Netflow/IPFIX header and uses that as @timestamp field, there's no configuration flag to use the current ingestion time instead.

However you can work around it with the script processor:

(filebeat.yml)

processors:
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   - add_kubernetes_metadata: ~
   - script:
      lang: javascript
      source: >
          function process(event) {
              event.Put('@timestamp', new Date());
          }

Consider adding a when condition so that it only applies to Netflow events.

About the wrong date, is the date set wrong on your netflow device or Filebeat is parsing it incorrectly? If you're unsure, can you share a pcap with the netflow traffic?

Bruno1 · February 7, 2020, 2:50pm

Thanks a lot

system · March 6, 2020, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.