Install ingest-user-agent on ELK


#1

Hello,
I would like, in my elk stack, to be able to know which browser my users are using. I've added the user-agent header in my logs and I send it to elastic via filebeat and logstash. Everything works fine.
Now I have my new field in my index :
"userAgent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
And it has the right value (ex : Mozilla/5.0_(Windows_NT_6.1)AppleWebKit/537.36(KHTML__like_Gecko)_Chrome/65.0.3325.181_Safari/537.36)

Now, I would like to use a plugin to be able to analyse the user-agent field and transform it into the browser name and version (Ex : Firefox V21). I search on the internet and found that plugin : ingest-user-agent. I found how to install it (with some kind of pipeline command)
Could you please tell what I have to do to make it work? I've already installed the plugin, all I need to know is what I should change in my index to make the userAgent field transofm inot a userAgentDetail field containg the agent details given by the plugin?
I found no documentation about how to use it with elk.
Thanks for you help.


#2

Just one more detail. I already use the geoip plugin. Is it the same for user-agent ? In order to make the geoip plugin work, I call the following line in my logstash filter (ip1 contains the ip, and geoip1 contains the ip details) :
geoip {
source => "ip1"
target => "geoip1"
}
Could you tell me if there is an equivalent call for the user-agent?


#3

Sorry for asking the question. I finally found the answer myself. I managed to make it work by adding the following lines in my logstash filter... (Once I remembered about the geoip plugin, I found the answered)
useragent {
source => "userAgent"
target => "userAgentDetails"
}
So, you can close this ticket... Maybe it will help someone else to make it work... (Finally my problem was that I didn't find any doc on the internet because I wasn't using the right search phrase)


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.