How can filebeat recognize some fields?

stefano.bisi · October 30, 2018, 1:28pm

Good Morning

How is it possibile to "label" some filed? for example, actually filebeat put into the field "message" these information
"October 30th 2018, 14:23:46.839 30/10/2018 14:23:44 Added iexplorer.exe TCP 10.10.10.111:443 85.45.103.187:40948"

We would like Filebeat recognize these information:
Added ---> ACTION
iexplorer.exe ----> PROCESS
TCP ---> PROTOCOL
10.10.10.111:443 ---> IP1:PORT1
85.45.103.187:40948 ---> IP2:PORT2

thank you so much.
Stefano Bisi

jsoriano · October 30, 2018, 1:40pm

Hi @stefano.bisi and welcome

Filebeat modules include ingest processors to do exactly that for some known log formats. If you need to parse custom formats you can add your own ingest pipelines. For your case you probably can use the grok processor. Elasticsearch 6.5 will also include the dissect processor, that can be also useful in your case.
You can read more about using ingest pipelines with filebeat in the documentation.

Topic		Replies	Views
How to customize a filebeat to parse a log? Beats filebeat	3	12553	October 16, 2020
EFK \| Filebeat Beats elastic-stack-monitoring , docker , filebeat	2	339	November 29, 2023
Create new Fields to Filter by Beats filebeat	3	416	September 10, 2019
Filebeat dissect Beats filebeat	1	1109	February 11, 2021
Exported fields in filebeat processors Beats filebeat	2	1175	March 13, 2017

How can filebeat recognize some fields?

Related topics