Hello @magnusbaeck,
this is my current config file, I need some feedback on how my config file should be inorder to replicate the same data in Elasticsearch from csv file.
input {
beats {
port => 5044
#type => "datacsv"
}
}
filter
{
csv {
columns => ["Asset Alternate IPv4 Addresses", "Asset Alternate IPv6 Addresses", "Asset Criticality","Asset ID", "Asset IP Address", "Asset Location", "Asset MAC Addresses", "Asset Names", "Asset OS Family", "Asset OS Name", "Asset OS Version", "Asset Owner", "Asset Risk Score", "Custom Tag", "Exploit Count", "Exploit Minimum Skill", "Exploit URLs", "Malware Kit Count", "Malware Kit Names", "Scan ID","Scan Template Name", "Service Name", "Service Port", "Service Product", "Service Protocol", "Site Importance", "Site Name", "Vulnerability Additional URLs", "Vulnerability Age", "Vulnerability CVE IDs", "Vulnerability CVE URLs", "Vulnerability CVSS Score","Vulnerability CVSSv3 Score", "Vulnerability CVSSv3 Vector" ]
separator => ","
#quote_char => '\'
#convert => {
# "Asset IP Address" => "integer"
# "Service Port" => "integer"
# "Vulnerability Test Date" => "integer"
#}
#autodetect_column_names => true
skip_empty_columns => true
skip_empty_rows => true
}
#kv { prefix => "arg_" }
#mutate {
#gsub => ["message","\"","'"]
#gsub => ["message","^\\s+|\*@$^&\"\\s+$", ""]
#gsub => ["message","[\\s+\"!@#$%^&*]", ""]
#}
mutate
{
add_field => { "received_at" => "%{@timestamp}" }
#update => { "Asset ID" => "R7_%{[columns][Asset ID]}"}
}
#mutate {
# remove_field => ["Vulnerability Proof" ]
#}
}
output {
elasticsearch {
action => index
hosts => ["10.xx.x.xx:9200"]
user => elastic
password => Elasticadmin
sniffing => true
manage_template => false
index => r7data
}
#stdout { codec => plain }
stdout { }