Hi! I was using the Logstash netflow module for a while. With ELK 7.4 I started to get some errors with UDP input and realized that Logstash Netflow Module was being deprecated. So, I installed Filebeat Netflow Module.
However I already have some visualizations and dashboards built using the Logstash Netflow Modules fields. So, I'm migrating them.
In Logstash Netflow Module and many other tools that work with Netflow the addresses fields are so simple, as src_addr and dst_addr. They exist just like this, regardless if the value is IPv4 or IPv6. This is a very common way and turns the filtering and visualizations easy.
But, with Filebeat Netflow Module we have netflow.destination_ipv4_address, netflow.source_ipv4_address, netflow.destination_ipv6_address and netflow.source_ipv6_address.
The segregation of v4 and v6 turns grouping tasks more complex because some flows will have the values empty. I'll have to had different searches and visualizations just to segregate v4 and v6.
Is there some way to have just src_addr and dst_addr fields, regardless of IP version?
Thank you!
EDIT 1:
I've realized there are fields named source.ip and destination.ip. However they only exist when the flow is v4. In v6 flows these fields doesn't exist. They could be used as the single address field in aggregations, but they aren't working for IPv6 flows.