Logstash parsing ECS

Hello everybody,

I am using logstash to parse my firewall logs, and some logs contain these information :

src=x.x.x.x srcport=YYY  dst=x.x.x.x   modsrc=x.x.x.x origdst=x.x.x.x dst= x.x.x.x srcport=YY modsrcport= YY origdstport= YY

Where:
src = IP address of the source host
dst = IP address of the destination host
modsrc = Translated IP address of the source host.
origdst = Original IP address of the destination host (before translation or the application of a virtual connection).
srcport = source TCP/UDP port number
modesrcport = Translated TCP/UDP source port number
dstport = Destination TCP/UDP port number
origdstport = Original port number of the destination TCP/UDP port (before translation or the application of a virtual connection).

I wanna know how can I name these fields to respect ECS !

Thanks for your help

You can refer to ECS fields in this link for version 1.6.0
Then you can use mutate filter to rename fields and map them into ECS fields

Example for source and destination informations

filter {
    mutate {
        rename => ["src", "[source][ip]" ]
        rename => ["dst", "[destination][ip]" ]
        ....
    }
}

More détails are here

1 Like

Thanks for yours answer @ylasri,

The problem is what IP source should I name source.ip as there is 2 source IP (before and after address translation ), and then second one, what should I name it by respecting the ECS !

All informations required for source IPs are here for example

source.ip => IP address of the source (IPv4 or IPv6).
source.nat.ip => Translated ip of source based NAT sessions (e.g. internal client to internet)

filter {
    mutate {
        rename => ["src", "[source][ip]" ]
        rename => ["modsrc", "[source][nat][ip]" ]
        ....
    }
}
1 Like

Thanks a lot for your help ^ ^