Filebeat modules purpose?

Elastic Stack Beats
,
1

I just tested for the first time a Filebeat module.
If I'm right, the purpose of a module is to have a ready-to-use pattern and dashboard, with a little data enrichment.

So I don't undestand what is going on because the only things the modules does is to add useless information like a field host.ip with 30 différents IP.

Maybe can anyone explain me why ?

Here is a log example from my Cisco Switch:
<190>%AAA-I-DISCONNECT: http connection for user cisco, source X.X.X.X destination X.X.X.X TERMINATED

Here is the document sended by Filebeat (module Cisco ASA) to elastic search via pipeline :

{
  "@timestamp": "2021-06-08T15:17:02.641Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.13.1",
    "truncated": false,
    "pipeline": "filebeat-7.13.1-cisco-asa-asa-ftd-pipeline"
  },
  "message": "<190>%AAA-I-DISCONNECT: http connection for user cisco, source 10.0.0.143 destination 192.168.72.254 TERMINATED  ",
  "log": {
    "source": {
      "address": "x.x.x.x:514"
    }
  },
  "fileset": {
    "name": "asa"
  },
  "input": {
    "type": "udp"
  },
  "tags": [
    "cisco-asa",
    "forwarded"
  ],
  "service": {
    "type": "cisco"
  },
  "event": {
    "dataset": "cisco.asa",
    "timezone": "+02:00",
    "module": "cisco"
  },
  "ecs": {
    "version": "1.9.0"
  },
  "agent": {
    "name": "xxxx",
    "type": "filebeat",
    "version": "7.13.1",
    "hostname": "xxxx",
    "ephemeral_id": "60a87fc8-2e92-4cc9-b987-0340aeaa6eca",
    "id": "adf817af-fe0b-4f59-9a53-fa66f88a1ee7"
  },
  "host": {
    "id": "36e18f6536cc4ce195de9a72e924637e",
    "containerized": false,
    "ip": [
     "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
       ........
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx"
    ],
    "mac": [
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx",
      "xxxxxxxxxxxxxxxx"
    ],
    "hostname": "xxx",
    "architecture": "x86_64",
    "os": {
      "kernel": "4.9.0-14-amd64",
      "codename": "stretch",
      "type": "linux",
      "platform": "debian",
      "version": "9 (stretch)",
      "family": "debian",
      "name": "Debian GNU/Linux"
    }
  }
}

This is the normal behavior ?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.