Hello all.
I m doing a real time monitor for fortinet bandwith but sent and received packets are in byte.
I make a sum of all but it's not easy readable in byte.
So i need to convert all bytes in megabytes.
Here's my conf file.
input {
file {
path => "/var/log/fortigate100D"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} time=%{TIME:time} devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=%{WORD:vd} srcip=%{IP:srcip} srcport=%{NUMBER:srcport} srcintf="%{WORD:srcintf}" dstip=%{IP:dstip} dstport=%{NUMBER:dstport} dstintf="%{WORD:dstintf}" poluuid=%{UUID:poluuid} sessionid=%{NUMBER:sessionid} proto=%{NUMBER:proto} action=%{WORD:action} policyid=%{NUMBER:policyid} policytype=%{DATA:policytype} dstcountry="%{DATA:dstcountry}" srccountry="%{DATA:srccountry}" trandisp=%{WORD:trandisp} transip=%{IP:transip} transport=%{NUMBER:transport} service="%{WORD:service}" duration=%{NUMBER:duration} sentbyte=%{NUMBER:sentbyte} rcvdbyte=%{NUMBER:rcvdbyte} sentpkt=%{NUMBER:sentpkt} rcvdpkt=%{NUMBER:rcvdpkt} appcat="%{WORD:appcat}"" }
}
grok {
match => { "message" => "date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} time=%{TIME:time} devname=%{HOSTNAME:devname} devid=%{HOSTNAME:devid} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} eventtype=%{WORD:eventtype} level=%{WORD:level} vd=%{WORD:vd} policyid=%{NUMBER:policyid} sessionid=%{NUMBER:sessionid} user="" srcip=%{IP:srcip} srcport=%{NUMBER:srcport} srcintf="%{WORD:srcintf}" dstip=%{IP:dstip} dstport=%{NUMBER:dstport} dstintf="%{WORD:dstintf}" proto=%{NUMBER:proto} service=%{WORD:service} hostname="%{DATA:URLCible}" profile="%{DATA:profilePROXY}" action=%{WORD:action}" }
}
mutate {
convert => [ "rcvdbyte", "integer" ]
convert => [ "sentbyte", "integer" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "forti100d-logstash-%{+YYYY.MM.dd}"
}
}
thanks.
