I am a new learner of the ELK stack. I am taking logs from the router using SNMP and UDP protocol. But I am only getting Post Nat IPV4 addresses. I am including the config code here.
input {
snmptrap {
port => 162 # SNMP trap port
community => "public" # SNMP community string
type => "snmptrap" # Event type
}
udp {
port => 2055 # NetFlow port
codec => netflow {
versions => [5, 9, 10] # NetFlow versions to support
}
type => "netflow" # Event type
}
}
filter {
if [type] == "snmptrap" {
grok {
match => { "message" => "%{WORD:snmp_version}\s*=%{INT:snmp_version_number};\s*%{WORD:snmp_community}\s*=%{DATA:snmp_community_string};\s*%{WORD:snmp_type}\s*=%{WORD:snmp_trap_type};\s*%{WORD:snmp_trap_oid}\s*=%{DATA:snmp_trap_oid};\s*%{WORD:snmp_trap_ip}\s*=%{IP:snmp_trap_source_ip};\s*%{WORD:snmp_trap_enterprise}\s*=%{DATA:snmp_trap_enterprise};\s*%{WORD:snmp_trap_timestamp}\s*=%{DATA:snmp_trap_timestamp};\s*%{WORD:snmp_trap_vars}\s*=%{GREEDYDATA:snmp_trap_variables}" }
}
date {
match => [ "snmp_trap_timestamp", "UNIX" ]
target => "@timestamp"
}
mutate {
remove_field => ["snmp_trap_timestamp", "message"]
}
}
# Define internal networks
cidr {
add_tag => [ "internal" ]
address => [ "%{[netflow][source_ipv4_address]}", "%{[netflow][destination_ipv4_address]}" ]
network => [ "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12" ] # Add other internal networks as needed
}
if "internal" in [tags] {
mutate {
add_field => { "network_type" => "internal" }
}
} else {
mutate {
add_field => { "network_type" => "external" }
}
}
}
output {
elasticsearch {
hosts => ["https://192.168.200.45:9200"]
index => "snmp_netflow_data"
ssl => true
cacert => "/etc/logstash/conf.d/http_ca.crt"
user => "elastic"
password => "12345678"
}
stdout {
codec => rubydebug
}
}
