How do I map fields with ECS if I am using my own grok filters

Blason · March 21, 2022, 3:46am

Hi Team,

Here is my grok parser

match => { "message" => "(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) rpz: info: client @%{WORD:data} %{IPV4:clientipaddr}#%{INT:sport} \(%{NOTSPA
CE:qdomain}\): rpz QNAME Local-Data rewrite %{NOTSPACE:origdom} via %{NOTSPACE:rewritten}"

This is a BIND RPZ and wondering how do I convert those so that they adhere with ECS? Can someone please help?

system · April 18, 2022, 3:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing URL with Logstash (using ECS fields) Logstash	2	2033	November 28, 2019
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	746	March 2, 2021
Logstash/grok patterns with ECS Logstash ecs-elastic-common-schema	12	3200	November 10, 2020
Logstash ECS Compatiblity Issues Logstash	6	3109	June 6, 2022
Convert fields to ECS Logstash	8	1697	April 21, 2020

How do I map fields with ECS if I am using my own grok filters

Related Topics