i have trouble in a mutation filter. At 1st i put data trough a kv filter in a target field "kv". That works fine. After that i want to rename the fields e.g.
mutate { rename => { "[kv][product]" => "[product]" }}
this works with round about 20 fields, exept with [kv][scheme] and [kv][methods].
Are there reserved fieldnames? How can i get access to the values or how can i rename the fields.
What happens with [kv][scheme] and [kv][methods]?
the filter don't handle [kv][scheme] and [kv][methods]
this is a output, in the message field the original input:
{
"@timestamp": "2018-07-23T15:07:05.000Z",
"@version": "1",
"action": "Decrypt",
"community": "RemoteAccess",
"dst": "1.1.1.1",
"fw_subproduct": "VPN-1",
"host": "192.168.146.240",
"ifdir": "inbound",
"ifname": "eth7",
"inzone": "External",
"kv": {
"methods:": "ESP: 3DES + SHA1",
"scheme:": "IKE"
},
"loguid": "{0x5b55ef19,0x1d,0xfb92a8c0,0xc0000005}",
"message": "time="1532358425" action="Decrypt" flags="417028" ifdir="inbound" ifname="eth7" logid="0" loguid="{0x5b55ef19,0x1d,0xfb92a8c0,0xc0000005}" origin="2.2.2.2" originsicname="CN=srv-1,O=mgmt..yybz" sequencenum="88" time="1532358425" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={3860A-DB24-B449-9955-958B7D24};mgmt=mgmt;date=1532071301;policy_name=Policy-1]" community="RemoteAccess" dst="1.1.1.1" fw_subproduct="VPN-1" inzone="External" lastupdatetime="1532358425" layer_name="Policy Network" layer_uuid="abcf83-bb37-4bd3-9418-39fdaeee9" match_id="0" parent_rule="0" rule_action="Accept" rule_name="Implied Rule " rule_uid="0E6801-8AB0-4b1e-A317-8BE3B43" methods:="ESP: 3DES + SHA1" nat_addtnl_rulenum="0" nat_rulenum="0" outzone="Local" peer_gateway="192.168.101.234" product="VPN-1 & FireWall-1" proto="17" s_port="18203" scheme:="IKE" service="18234" service_id="tunnel_test" session_uid="{5B55-0000-0000-0AA6-FE020000}" src="192.168.101.234" vpn_feature_name="VPN" xlatedport="0" xlatedst="10.10.10.1" xlatesport="0" xlatesrc="0.0.0.0" ",
"nat": {
"rulenum": "0",
"s_port": "0",
"src": "0.0.0.0",
"nat_addtnl_rulenum": "0",
"d_port": "0",
"dst": "10.10.10.1"
},
"origin": {
"ip": "2.2.2.2",
"policy_name": "Cluster_Policy",
"name": "srv-1"
},
"outzone": "Local",
"peer_gateway": "192.168.101.234",
"port": 58308,
"product": "VPN-1 & FireWall-1",
"protocol": "17",
"rule": {
"action": "Accept",
"uid": "0E-8AB0-4b1e-A317-8BE3305B43",
"name": "Implied Rule "
},
"sequencenum": "88",
"service": "18234",
"servicename": "tunnel_test",
"session_uid": "{5B55-0000-0000-0AA6-FE020000}",
"src": "192.168.101.234",
"srcport": "18203",
"tags": [
"fw_log"
],
"type": "checkpointlog",
"vpn_feature_name": "VPN"
}
oh no... now i see it.
scheme:
methods:
sorry
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.