How do I map fields with ECS if I am using my own grok filters

Blason · March 21, 2022, 3:46am

Hi Team,

Here is my grok parser

match => { "message" => "(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) rpz: info: client @%{WORD:data} %{IPV4:clientipaddr}#%{INT:sport} \(%{NOTSPA
CE:qdomain}\): rpz QNAME Local-Data rewrite %{NOTSPACE:origdom} via %{NOTSPACE:rewritten}"

This is a BIND RPZ and wondering how do I convert those so that they adhere with ECS? Can someone please help?

system · April 18, 2022, 3:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing URL with Logstash (using ECS fields) Logstash	2	2039	November 28, 2019
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	754	March 2, 2021
Logstash/grok patterns with ECS Logstash ecs-elastic-common-schema	12	3203	November 10, 2020
Parsing URL with Logstash (using ECS fields) nested! Logstash ecs-elastic-common-schema	4	4939	December 27, 2019
Migrating logstash filters to ECS Logstash ecs-elastic-common-schema	3	2254	September 10, 2019

How do I map fields with ECS if I am using my own grok filters

Related topics