Hello Team,
I tried rename field in logstash. I received syslog and save log in file.
This is my conf.
input {
udp {
port => "5133"
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_ferramenta}: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" ]
timezone => "Europe/Spain"
}
json {
source => "syslog_message"
}
mutate {
rename => {
"[_source][src_ip]" => "[_source][source_ip]"
"[_source][proto]" => "[_source][protocol]"
}
}
}
}
output {
file {
path => "/var/log/test/suricata.json"
codec => line { format => "%{syslog_message}"}
}
}
The log save in file:
{"timestamp":"2020-09-22T15:38:16.211953-0300","flow_id":0000000000000041,"in_iface":"ix3","event_type":"alert","lan":[200],"src_ip":"192.168.0.1","src_port":44669,"dest_ip":"192.168.0.1","dest_port":3389,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":65535003,"rev":1,"signature":"ProApps Unauthorized","category":"Attempted Denial of Service","severity":2},"app_proto":"ntp","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":94,"bytes_toclient":0,"start":"2020-09-22T15:38:16.211953-0300"}}
I dont have problem with this...i just tried use the mutate to rename.
I used
mutate {
rename => {
"[_source][src_ip]" => "[_source][source_ip]"
"[_source][proto]" => "[_source][protocol]"
}
}
and
mutate {
rename => {
"[src_ip]" => "[source_ip]"
"[proto]" => "[protocol]"
}
}
Can you help me ?