Troubling with add_field in filter. Please advice

alfsolli · February 3, 2016, 9:28am

Hi.

Fresh off the boat ELK user here.

Can someone point out what I'm doing wrong here? I'm trying to translate a field (IP address) into FQDN with logstash.
The data source is netflow, and I'm trying to get the IP address from the ipv4_dst_addr field into a separate field, translated.

My logstash.conf :

input {

stdin { } # debug mode

udp {
type => netflow
port => 9995

metadata => true <- This setting gave me an error, so it's commented out. is it vital?

  codec => netflow {
    versions => [5,9,10]
  }
}

#file {

type => "apache"

path => [ "/var/log/apache2/access_log", "/var/log/apache2/error_log" ]

start_position => "beginning"

}

filter {

if [type] == "netflow" {

    mutate {
    add_field => { "hostname" =>  "%{ipv4_dst_addr}" }
        }
  dns {
  action => "replace"
  reverse =>  "hostname"
  add_tag => [ "dns_lookup" ]
}
}

if [type] == "apache" {
grok {
match => { "message" => "%{COMMONAPACHELOG}" }
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}

}

output {

stdout {
codec => rubydebug { metadata => true }
}

#elasticsearch {

protocol => "http"

hosts => ["192.168.10.30"]

} <- Disabled until it works

}

I receiev output from a Cisco Meraki Z1 netflow which looks like this (logstash stdout ) :

No matching template for flow id 5206 {:level=>:warn}
No matching template for flow id 5206 {:level=>:warn}
No matching template for flow id 5206 {:level=>:warn}
No matching template for flow id 5206 {:level=>:warn}
{
"@timestamp" => "2016-02-03T09:24:40.000Z",
"netflow" => {
"version" => 9,
"flow_seq_num" => 721581,
"flowset_id" => 5206,
"ipv4_src_addr" => "192.168.10.7",
"ipv4_dst_addr" => "255.255.255.255", <- This IP address, should be moved to the "hostname" field, and translated.
"l4_src_port" => 35432,
"l4_dst_port" => 1900,
"in_bytes" => 0,
"out_bytes" => 0,
"in_pkts" => 0,
"out_pkts" => 0,
"protocol" => 17
},
"@version" => "1",
"type" => "netflow",
"host" => "192.168.10.254", <- this is my Meraki, no need to translate that.
"hostname" => "%{ipv4_dst_addr}" <- This is what I get instead.
}

Any pointers is appreciated.

Kind regards
Alf Solli

alfsolli · February 3, 2016, 9:36am

I forgot. Using logstash-2.1.1-1.noarch, from rpm.

Sorry about the weird formatting. How do I enclose code and config examples properly?

Topic		Replies	Views
DNS filter, how to save IP to a separate field Logstash	2	435	November 8, 2021
Having issue with DNS filter Logstash	8	2440	February 14, 2018
DNS Filter And GeoIP can't see ip field Logstash	4	1147	September 1, 2018
Logstash filter section problem Logstash	3	673	July 24, 2017
Problem with "split" and "add_field" in mutate filter Logstash	5	5469	December 19, 2019