forked from elastic/ecs-mapper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
logstash.conf
46 lines (40 loc) · 1.34 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
filter {
mutate {
copy => { '[srcip]' => '[source][address]' }
copy => { '[srcip]' => '[source][ip]' }
copy => { '[new_event][srcip]' => '[source][ip]' }
rename => { '[srcport]' => '[source][port]' }
convert => { '[source][port]' => 'integer' }
copy => { '[destip]' => '[destination][address]' }
copy => { '[destport]' => '[destination][port]' }
convert => { '[destination][port]' => 'integer' }
copy => { '[ts]' => '[timestamp]' }
rename => { '[action]' => '[event][action]' }
lowercase => [ '[event][action]' ]
rename => { '[duration]' => '[event][duration]' }
convert => { '[event][duration]' => 'float' }
rename => { '[user_agent]' => '[user_agent][original]' }
rename => { '[log_level]' => '[log][level]' }
uppercase => [ '[log][level]' ]
rename => { '[eventid]' => '[event][id]' }
convert => { '[event][id]' => 'string' }
rename => { '[hostip]' => '[host][ip]' }
}
date {
match => ["[some_timestamp_field]", "UNIX_MS"]
target => "[@timestamp]"
}
date {
match => ["[some_other_timestamp]", "UNIX_MS"]
target => "[@timestamp]"
}
date {
match => ["[some_new_timestamp]", "UNIX"]
target => "[destination_timestamp]"
}
if [host][ip] {
ruby {
code => "event.set('[host][ip]', Array(event.get('[host][ip]')) )"
}
}
}