Rename Fields

asalma · May 17, 2018, 7:42am

Hi,

I have made two filters for two firewalls and I want to rename the fiealds so they have the same name for each field, and also I want to put ip_dest and ip_source in one IP fieald. How can I do this please?

See my config file :

input {
  beats {
    port => "5044"
    type => "%{log_type}"
  }
}

filter {
         grok {
                match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{GREEDYDATA:data}"}
        }
        date {
                match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
        if [type] == "fortigate" {
        # extract syslog_timestamp hostname and data from the syslog message
                kv {
                        source => "data"
                }
                mutate {
                        remove_field => [ "data" ]
                }
        }
        if [type] == "cisco_asa" {
        # extract syslog_timestamp hostname and data from the syslog message
                grok {
                        match => { "data" => "%{CISCOTAG:cisco_tag}: %{GREEDYDATA:cisco_message}"}
                }
                grok {
                        match => [
                        "cisco_message", "%{CISCOFW106001}",
                        "cisco_message", "%{CISCOFW106006_106007_106010}",
                        "cisco_message", "%{CISCOFW106014}",
                        "cisco_message", "%{CISCOFW106015}",
                        "cisco_message", "%{CISCOFW106021}",
                        "cisco_message", "%{CISCOFW106023}",
                        "cisco_message", "%{CISCOFW106100}",
                        "cisco_message", "%{CISCOFW110002}",
                        "cisco_message", "%{CISCOFW302010}",
                        "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
                        "cisco_message", "%{CISCOFW302020_302021}",
                        "cisco_message", "%{CISCOFW305011}",
                        "cisco_message", "%{CISCOFW313001_313004_313008}",
                        "cisco_message", "%{CISCOFW313005}",
                        "cisco_message", "%{CISCOFW402117}",
                        "cisco_message", "%{CISCOFW402119}",
                        "cisco_message", "%{CISCOFW419001}",
                        "cisco_message", "%{CISCOFW419002}",
                        "cisco_message", "%{CISCOFW500004}",
                        "cisco_message", "%{CISCOFW602303_602304}",
                        "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",
                        "cisco_message", "%{CISCOFW713172}",
                        "cisco_message", "%{CISCOFW733100}",
                        "cisco_message", "%{WORD:action} %{WORD:protocol} %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface$
                        "cisco_message", "%{CISCO_ACTION:action} %{WORD:protocol} %{CISCO_REASON:reason}.*(%{IP:src_ip}).*%{IP:dst_ip} on interface %{GREEDYDATA:interface}",
                        "cisco_message", "Connection limit exceeded %{INT:inuse_connections}/%{INT:connection_limit} for input packet from %{IP:src_ip}/%{INT:src_port} to %{IP:$
                        "cisco_message", "TCP Intercept %{DATA:threat_detection} to %{IP:ext_nat_ip}/%{INT:ext_nat_port}.*(%{IP:int_nat_ip}/%{INT:int_nat_port}).*Average rate o$
                        "cisco_message", "Embryonic connection limit exceeded %{INT:econns}/%{INT:limit} for %{WORD:direction} packet from %{IP:src_ip}/%{INT:src_port} to %{IP:$
                        ]
                }
                mutate {
                        remove_field => [ "data" ]
                }
        }
}

output {
        elasticsearch {
                hosts => [ "localhost:9200" ]
        }
}

magnusbaeck · May 17, 2018, 8:35pm

I have made two filters for two firewalls and I want to rename the fiealds so they have the same name for each field,

Use a mutate filter's rename option.

and also I want to put ip_dest and ip_source in one IP fieald.

Not sure exactly what you mean here. You want to store both IP addresses in a single (array) field?

system · June 14, 2018, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rename field - input syslog Logstash	2	376	October 21, 2020
Renaming multiple fields that are nested Logstash	4	1020	April 8, 2022
Rename field Logstash	3	703	February 21, 2018
Logstash rename json fields Logstash	7	651	March 15, 2023
How to re-name multiple field names at once in logstash Logstash	2	902	January 10, 2022

Rename Fields

Related topics