How is it possibile to "label" some filed? for example, actually filebeat put into the field "message" these information
"October 30th 2018, 14:23:46.839 30/10/2018 14:23:44 Added iexplorer.exe TCP 10.10.10.111:443 85.45.103.187:40948"
We would like Filebeat recognize these information:
Added ---> ACTION
iexplorer.exe ----> PROCESS
TCP ---> PROTOCOL
10.10.10.111:443 ---> IP1:PORT1
85.45.103.187:40948 ---> IP2:PORT2
Filebeat modules include ingest processors to do exactly that for some known log formats. If you need to parse custom formats you can add your own ingest pipelines. For your case you probably can use the grok processor. Elasticsearch 6.5 will also include the dissect processor, that can be also useful in your case.
You can read more about using ingest pipelines with filebeat in the documentation.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
