input {
beats {
port => "9006"
}
}
filter {
mutate {
add_field => { "beat_version" => "%{[beat][version]}" }
}
mutate {
add_field => { "log_file" => "%{[log][file][path]}" }
}
mutate {
add_field => { "beat_input_type" => "%{[input][type]}" }
}
mutate{
remove_field => [ "offset","prospector","@version","source","host","beat","log","input" ]
}
if [message] =~ /^#/ {
drop {}
}
mutate {
split => { "message" => "\t" }
}
if [message] {
grok {
match => {
"message" => "%{NUMBER:ts:float} %{DATA:uid} %{IP:id.orig_h} %{NUMBER:id.orig_p:int} %{IP:id.resp_h} %{NUMBER:id.resp_p:int} %{DATA:proto} %{DATA:service} %{NUMBER:duration:float} %{NUMBER:orig_bytes:int} %{NUMBER:resp_bytes:int} %{DATA:conn_state} %{DATA:local_orig} %{NUMBER:missed_bytes:int} %{DATA:history} %{NUMBER:orig_pkts:int} %{NUMBER:orig_ip_bytes:int} %{NUMBER:resp_pkts:int} %{NUMBER:resp_ip_bytes:int} %{DATA:tunnel_parents} %{DATA:threat}"
}
}
}
date {
match => ["ts", "UNIX"]
target => "@timestamp"
}
}
output{
elasticsearch{
hosts => ["https://0.0.0.0:9200"]
index => "zeek-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "elastic"
password => "WNPUwxtVX_1-d-fUGorw"
}
stdout { codec => rubydebug }
}
I am not able to parse the data based on above script. Please provide me with an updated script