Hi,
I've noticed that in case of Fortigate devices the application_id field is translated incorrectly.
By default logstash outputs 20:53068615909376 as the application_id. However it should look something like 15921.
The reply I got from our Fortinet reseller is this:
Is there any way to have Logstash process this field correctly?
I assume that your issue is with the Logstash Netflow Module. That module was based on the v1.0.0 release of the ElastiFlow solution. ElastiFlow is currently on v1.2.0 and includes a number of enhancements and fixes that aren't in the Logstash Netflow Module, including the fix for application_id. So the easiest solution to your problem is just to use ElastiFlow.
NOTE: While not directly related to your problem, I recommend keeping the Logstash Netflow Codec up to date, even if you are not updating Logstash itself. This is achieved with the following command...
LOGSTASH_HOME/bin/logstash-plugins update logstash-codec-logstash
Hi Robert,
I found out about ElastiFlow while googling for this issue. Unfortunately I'm not only collecting netflow data so I need to stick with Logstash.
I'm using the netflow codec 3.9.0 however data output is still 20:xxxxx for the application_id field.
I've tried changing the type from string to keyword (seems to be the issue?) in /usr/share/logstash/modules/netflow/configuration/elasticsearch/netflow.json but in stdout I still get the incorrect data.
{
"order": 0,
"template": "netflow-*",
"mappings": {
"_default_": {
"_meta": {
"version": "6.0.0"
},
"dynamic_templates": [
{
"application_id": {
"path_match": "netflow.application_id",
"mapping": {
"type": "keyword"
}
}
},Is it possible to fix this using the netflow codec that ships with logstash?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.