The rename function in /usr/share/filebeat/module/zeek/connection/config/connection.yml
processors:
- drop_fields:
fields: ["json.orig_bytes","json.resp_bytes","json.tunnel_parents"]
- rename:
fields:
- from: "json"
to: "zeek.connection"
- from: "zeek.connection.duration"
to: "temp.duration"
- from: "zeek.connection.id.orig_h"
to: "source.address"
- from: "zeek.connection.id.orig_p"
to: "source.port"
- from: "zeek.connection.id.resp_h"
to: "destination.address"
- from: "zeek.connection.id.resp_p"
to: "destination.port"
...
Is failing to set the field type to ip and instead adds it as a string which seems to be preventing the ip addresses from being handled as ip addresses.
I am trying to replace this with the convert function and placed it between the - drop_fields: and - rename: processors with the settings below.
- convert:
fields:
- {from: "zeek.connection.id.orig_h", to: "source.address", type: "ip"}
- {from: "zeek.connection.id.resp_h", to: "destination.address", type: "ip"}
- {from: "zeek.connection.id.orig_p", to: "source.port", type: "integer"}
- {from: "zeek.connection.id.resp_p", to: "destination.port", type: "integer"}
When it runs the debug filebeat log shows the following error:
failed in processor.convert: conversion of field [zeek.connection.id.orig_h] to type [ip] with target field [source.address] failed: field [zeek.connection.id.orig_h] is missing: key not found
What am I doing wrong to get the convert to work here?