Use ecs with vpn server

Elastic Stack Elasticsearch
1

Hi,
I parse Mikrotik log vpn server and and encountered difficulties in applying the ecs for some fields.
Exsample:
vpn session time - the total time of VPN session
vpn session rx bits or packets
vpn session tx bits or packets

or can i diff client public ip and client private ip
?

2

Hello,

In ECS we don't have a clear concept of sessions, so you couldn't capture many details about a session. For session duration, however, you can use event.duration. This field is meant to capture the duration of any kind of event, so if you have a log event that reports the duration of a finished session, this sounds like a good fit.

For the network transfer metrics, there's a mix of fields that could be interesting in network and in source and destination. Here's a few ideas:

  • rx bytes and packets in source.bytes and source.packets
  • tx bytes and packets in destination.bytes and destination.packets
  • for network address translation you can capture up to 4 addresses with source.ip, source.nat.ip, destination.ip and destination.nat.ip
  • total tx bytes and packets in network.bytes and network.packets
  • You may also be interested in looking into network.protocol, network.direction, network.application and a few others under network.

Good luck!

3

Thank you very much, you helped me a lot!

I have a clarifying question.

Is it correct to assign the address issued by the DHCP servers (private ip vpn sessions) to source.nat.ip? Or was it supposed to be so when developing?

4

@orsa

If you are going to use both public and private IPs use the IP of the client as source.ip, the vpn assigned ip as source.nat.ip, and populate related.ip with all 3 to make searching and pivoting easier.

thanks
/d

2 Likes
5

Thanks for chiming in, @Dain.Perkins :slight_smile:

I also want to amend something I said in my first message. While ECS doesn't have a specific fields for "sessions", if you need to capture additional details about sessions (in addition to their duration), you can still do so.

ECS defines a set of fields. But it's perfectly acceptable to have additional non-ECS fields in your events, whenever you need. Here's our recommendations on how to name custom fields to avoid conflicts with future versions of ECS:

https://www.elastic.co/guide/en/ecs/current/ecs-custom-fields-in-ecs.html

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.