Queries regarding logsatsh configuration file

input {
beats {
port => "9006"

}
}

filter {

mutate {
add_field => { "beat_version" => "%{[beat][version]}" }
}

mutate {
add_field => { "log_file" => "%{[log][file][path]}" }

}
mutate {
add_field => { "beat_input_type" => "%{[input][type]}" }
}

mutate{
remove_field => [ "offset","prospector","@version","source","host","beat","log","input" ]
}

if [message] =~ /^#/ {
drop {}

}

mutate {
split => { "message" => "\t" }
}

if [message] {
grok {
match => {
"message" => "%{NUMBER:ts:float} %{DATA:uid} %{IP:id.orig_h} %{NUMBER:id.orig_p:int} %{IP:id.resp_h} %{NUMBER:id.resp_p:int} %{DATA:proto} %{DATA:service} %{NUMBER:duration:float} %{NUMBER:orig_bytes:int} %{NUMBER:resp_bytes:int} %{DATA:conn_state} %{DATA:local_orig} %{NUMBER:missed_bytes:int} %{DATA:history} %{NUMBER:orig_pkts:int} %{NUMBER:orig_ip_bytes:int} %{NUMBER:resp_pkts:int} %{NUMBER:resp_ip_bytes:int} %{DATA:tunnel_parents} %{DATA:threat}"
}
}

}

date {
  match => ["ts", "UNIX"]
  target => "@timestamp"
}

}

output{
elasticsearch{
hosts => ["https://0.0.0.0:9200"]
index => "zeek-%{+YYYY.MM.dd}"

ssl_certificate_verification => false
       user => "elastic"
       password => "WNPUwxtVX_1-d-fUGorw"

}
stdout { codec => rubydebug }
}

I am not able to parse the data based on above script. Please provide me with an updated script

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.