Useragent information

111401 · July 5, 2021, 8:08am

Hi,
i had parsed netflow via filebeat 7.7.0 and send it to logstash 7.6.2 then elasticsearch 7.6.2, but i see the agent field is only about filebeat, not the client device information.

"agent" => {
                  "id" => "d5cd54a7-e74d-43b9-af3a-efd1c89a98a9",
             "version" => "7.7.0",
                "type" => "filebeat",
        "ephemeral_id" => "761b46cc-fad1-4e14-a703-772afa9246be",
            "hostname" => "localhost.localdomain"
    }

how can i get the client device information like os, version, etc.
Thanks.

mtojek · July 5, 2021, 8:28am

This "agent" isn't related to user agent at all. It's related to the Beat process: Beat fields | Filebeat Reference [7.13] | Elastic

Speaking of netflow - could you please share your configuration?

111401 · July 5, 2021, 8:51am

Thanks for your reply, you mean the filebeat configuration or logstash?

111401 · July 15, 2021, 10:05am

Hi,
I use the netflow module in filebeat and here is my configuration.


#============================= Filebeat modules ===============================v
- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 192.168.0.45
      netflow_port: 2055
      protocols: [v9]
and the /etc/filebeat/filebeat.yml


#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.0.45:5044"]

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/netflow.yml
  #fields: {log_type: netflow}

# Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.0.45:5044"]

but the output seems does not have netflow.http_user_agent field

rcowart · July 15, 2021, 9:37pm

You will only see a given Netflow-related field if it is contained in the record sent by the device. netflow.http_user_agent is populated from the IPFIX standard field 468: httpUserAgent.

We have data from 100s of different devices, and we have never seen this field sent by any of them. Almost all vendors send such information via proprietary fields, most of which are unsupported by Filebeat.

111401 · July 19, 2021, 3:51am

Thank you for your reply, so it is mean the reason that I can't parsing netflow.http_user_agent field is my Cisco device did not provide, am I right?

rcowart · July 19, 2021, 8:56am

Yes. That is probably the case. You can always do a PCAP of the incoming records and confirm.

system · August 16, 2021, 10:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.