Hello!,
I am using ELK to analyze log files for example from Cisco firewall by filebeat cisco module, and I want compare IP's from this logs with file which consist bad IP's.
I came to the conclusion to send log files by filebeat cisco module to logstash and use translate.
Here is my conf:
`
filter {
translate {
dictionary_path => "/path to/file.yaml"
field => "destination.ip" # "[destination][ip]" try too
destination => "DESTIOC"
override => true
}
translate {
dictionary_path => "/path to/file.yaml"
field => "source.ip" # "[source][ip]" try too
destination => "SRCIOC"
override => true
}
}
output {
elasticsearch {
hosts => "elastic_ip:9200"
manage_template => false
index => "[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "secret"
}
stdout {
codec => rubydebug
}
}
`
I can see that the logs are coming, but the translation doesnt work.
Where my mistake ??? Help me please.