Hi team, we have configured a Palo Alto Firewall to send Netflow to a Filebeat.
We are seeing all events right, except that the "User-ID" Netflow field (value 56702) its not shown.
We have replaced the Filebeat with a Logstash, and with it we are seeing the "User-ID" Netflow field is mapped on the "netflow_user_id" Elasticsearch field.
Is there any way to configure the Netflow Filebeat Input to collect it? Or it's an issue that must be fixed in the code?
Thanks!
The netflow input in Filebeat has support for custom field definitions. For example:
filebeat.inputs:
- type: netflow
max_message_size: 10KiB
host: "0.0.0.0:2055"
protocols: [ v5, v9, ipfix ]
expiration_timeout: 30m
queue_size: 8192
custom_definitions:
- /etc/filebeat/netflow-application-specific-fields.yml
/etc/filebeat/netflow-application-specific-fields.yml:
346:
- :uint32
- :privateEnterpriseNumber
56701:
- :string
- :app_id
56702:
- :string
- :user_id
Great, it worked, thanks!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.