I am importing logs from FireSight(cisco) into Logstash and outputting to Elasticsearch. Here is my conf file from Logstash.
input {
udp {
port => 5545
type => "firesight"
}
}
filter {
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{SYSLOGBASE} Protocol: %{WORD:protocol}, SrcIP: %{IP:srcIP}, DstIP: %{IP:dstIP}, SrcPort: %{NUMBER:srcPort}, DstPort: %{NUMBER:dstPort}, TCPFlags: %{WORD:tcpFlags}, IngressInterface: %{WORD:ingressINT}, EgressInterface: %{WORD:egressINT}, IngressZone: %{WORD:ingressZone}, EgressZone: %{WORD:egressZone}, DE: %{DATA:primaryDE}, Policy: %{WORD:policy}, ConnectType: %{WORD:connectType}, AccessControlRuleName: %{DATA:aclRuleName}, AccessControlRuleAction: %{WORD:aclRuleAction}, UserName: %{WORD:username}, UserAgent: %{DATA:userAgent}, Client: %{WORD:client}, ClientVersion: %{DATA:clientVer}, ApplicationProtocol: %{WORD:appProtocol}, InitiatorPackets: %{NUMBER:initPackets}, ResponderPackets: %{NUMBER:responderPackets}, InitiatorBytes: %{NUMBER:initBytes}, ResponderBytes: %{NUMBER:respondBytes}, NAPPolicy: %{DATA:NaPPolicy}, DNSResponseType: %{DATA:dnsResponseType}, Sinkhole: %{WORD:sinkhole}, HTTPReferer: %{URI:httpReferer}, ReferencedHost: %{DATA:referencedHost}, URLCategory: %{DATA:urlCategory}, URLReputation: %{DATA:urlReputation}, URL: %{URI:URL}"}
match => { "message" => "%{FIREPOWERBASE} ?(UserName: %{DATA:username})?,? ?(UserAgent: %{DATA:UserAgent})?,? Client: %{DATA:client}, ?(ClientVersion: %{DATA:ClientVersion})?,? ApplicationProtocol: %{WORD:appProtocol}, ?(WebApplication: %{DATA:WebApp})?,? %{FPPACKETRESPONSE} DNSResponseType: %{DATA:dnsResponseType}, Sinkhole: %{WORD:sinkhole}, ?(HTTPReferer: %{URI:httpReferer})?,? ?(ReferencedHost: %{DATA:ReferencedHost})?,? URLCategory: %{DATA:urlCategory}, URLReputation: %{DATA:urlReputation}, URL: %{URI:url}"}
match => { "message" => "%{FIREPOWERBASE} Client: %{DATA:client}, ApplicationProtocol: %{DATA:appProtocol}, %{FPPACKETRESPONSE} DNSResponseType: %{DATA:dnsResponseType}, Sinkhole: %{WORD:sinkhole}, URLCategory: %{DATA:urlCategory}, URLReputation: %{DATA:urlRep}"}
}
}
output {
elasticsearch {
hosts => ["10.50.184.119", "10.50.184.120", "10.50.184.121"]
index => "firesight-%{+YYYY.MM.dd}"
}
stdout {}
}
I am trying to use the Visualize tab in Kibana and its coming back with the "not analyzed". I know i need to setup some mappings for the strings in Elastic. My question is can I use the "managed_template" field in Logstash to achieve this?
I would switch the conf file in Logstash output to add this:
managed_template => true
Would this force it to use the default template of Logstash, which adds the .raw, or do I need to create my own template with custom mapping and point the output to that?