Translate within mutate section

Elastic Stack Logstash
1

hi i want to add some info in the event that a list of specific ips are contacted, from what i've seen the translate filter should be able to do this but i dont know if where to place it correctly below is not working

if [event_id] == 3 {
  mutate {
    add_field => { "action" => "networkconnect" }
    rename => {
      "[event_data][DestinationHostname]" => "host_dst_name"
      "[event_data][DestinationIp]" => "ip_dst"
      "[event_data][DestinationIsIpv6]" => "ip_dst_isipv6"
      "[event_data][DestinationPort]" => "port_dst_number"
      "[event_data][DestinationPortName]" => "port_dst_name"
      "[event_data][Initiated]" => "network_initiated"
      "[event_data][Protocol]" => "network_protocol"
      "[event_data][SourceHostname]" => "host_src_name"
      "[event_data][SourceIp]" => "ip_src"
      "[event_data][SourceIsIpv6]" => "ip_src_isipv6"
      "[event_data][SourcePort]" => "port_src_number"
      "[event_data][SourcePortName]" => "port_src_port_name"
    }  
   translate {
    field => "ip_dst"
     destination => "MaliciousIP"
     dictionary_path => /home/ssi/HELK/helk-logstash/firehol_BadIp4.yaml'
    } 
  }
  geoip {
    source => "ip_dst"
    remove_field => "[geoip][ip]"
  }

}

the yaml file has the following format

"IP_BAD": "YES"

im using this "receipie"

except i changed the logstash code to fit my current setup - with little success so far..

2

mutate and translate are two separate filters, so can not be nested like you have done. You need to place the translate filter after the mutate filter.

3

But still with the same filter statement right ? So i just move it outside the mutate section - right

Thanks for the Quick reply you rock

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.