Hi everyone,
Very new to elk, in fact, only just reading about it :). I do have a query around enrichment. If I had logs with MAC addresses in, is it possible to lookup the oui somewhere and add that as a attribute when inserting into elasticsearch? I can see this being quite useful for me to be able to graph the top x vendors etc 
Thanks in advance.
That would be a neat feature, but in my limited experience, I haven't found anything like that. There is a DNS filter, and a geo-ip feature. I think the closest you could get is with the Translate filter. This guy looks at a dictionary that you create and converts values in the field it's looking at, or write to a new field, what's in the dictionary. So you could go to a site like this guy, build a dictionary file of the OUI/vendor pairings and then translate would analyze the fields altering/adding the vendor data. It's not elegant but it would probably work.
I think the problem with building an OUI lookup filter is that, if it were an offline database, it would quickly become out of date and if it were an online database, someone would have to maintain it and be ok with freeloaders constantly pinging it for results, lol.
There is logstash-filter-oui. In the past I used it extensively, and it does exactly what you are asking for. Unfortunately it stopped working about the time 5.6 was released. Most likely it just needs dependencies updated. But it has been ignored so far.
Thanks both. I will take a look at both suggestions
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.