Useragent information

Elastic Stack Beats
1

Hi,
i had parsed netflow via filebeat 7.7.0 and send it to logstash 7.6.2 then elasticsearch 7.6.2, but i see the agent field is only about filebeat, not the client device information.

"agent" => {
                  "id" => "d5cd54a7-e74d-43b9-af3a-efd1c89a98a9",
             "version" => "7.7.0",
                "type" => "filebeat",
        "ephemeral_id" => "761b46cc-fad1-4e14-a703-772afa9246be",
            "hostname" => "localhost.localdomain"
    }

how can i get the client device information like os, version, etc.
Thanks.

2

This "agent" isn't related to user agent at all. It's related to the Beat process: Beat fields | Filebeat Reference [7.13] | Elastic

Speaking of netflow - could you please share your configuration?

3

Thanks for your reply, you mean the filebeat configuration or logstash?

4

Hi,
I use the netflow module in filebeat and here is my configuration.


#============================= Filebeat modules ===============================v
- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 192.168.0.45
      netflow_port: 2055
      protocols: [v9]

and the /etc/filebeat/filebeat.yml



#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.0.45:5044"]

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/netflow.yml
  #fields: {log_type: netflow}

# Set to true to enable config reloading
  reload.enabled: true

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.0.45:5044"]



but the output seems does not have netflow.http_user_agent field
5

You will only see a given Netflow-related field if it is contained in the record sent by the device. netflow.http_user_agent is populated from the IPFIX standard field 468: httpUserAgent.

We have data from 100s of different devices, and we have never seen this field sent by any of them. Almost all vendors send such information via proprietary fields, most of which are unsupported by Filebeat.

6

Thank you for your reply, so it is mean the reason that I can't parsing netflow.http_user_agent field is my Cisco device did not provide, am I right?

7

Yes. That is probably the case. You can always do a PCAP of the incoming records and confirm.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.