Hello community. I was busy with the task of collecting netflow using logstash. So I noticed that the netflow data after the "netflow" codec contains the "protocol" field, which is actually the protocol number. But there is no filter in logstash that can convert the protocol number to the name of the protocol. Why is that? How do you deal with this task? How about adding a filter that will do this?
As badger said, you can do that using the translate filter.
I use the following configuration in some pipelines I have:
translate {
field => "proto"
destination => "[network][protocol]"
dictionary => {
"6" => "TCP"
"17" => "UDP"
"1" => "ICMP"
}
remove_field => ["proto"]
}
You can get the list of protocol numbers here.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.