-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogstash.conf
74 lines (72 loc) · 3.15 KB
/
logstash.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
input {
azureblob
{
storage_account_name => "flowst"
storage_access_key => "g9aFKL81HpHQ5ObQ5AbU7nBSHwn971WJdVlrCo+ik4Ms5DwsuInxEqgy37StYsKzzFB+RHghOyie+AStgY6xdQ=="
container => "insights-logs-networksecuritygroupflowevent"
codec => "json"
# Refer https://learn.microsoft.com/azure/network-watcher/network-watcher-read-nsg-flow-logs
# Typical numbers could be 21/9 or 12/2 depends on the nsg log file types
file_head_bytes => 12
file_tail_bytes => 2
# Enable / tweak these settings when event is too big for codec to handle.
# break_json_down_policy => "with_head_tail"
# break_json_batch_count => 2
}
}
filter {
split { field => "[records]" }
split { field => "[records][properties][flows]"}
split { field => "[records][properties][flows][flows]"}
split { field => "[records][properties][flows][flows][flowTuples]"}
mutate {
split => { "[records][resourceId]" => "/"}
add_field => { "Subscription" => "%{[records][resourceId][2]}"
"ResourceGroup" => "%{[records][resourceId][4]}"
"NetworkSecurityGroup" => "%{[records][resourceId][8]}"
}
convert => {"Subscription" => "string"}
convert => {"ResourceGroup" => "string"}
convert => {"NetworkSecurityGroup" => "string"}
split => { "[records][properties][flows][flows][flowTuples]" => "," }
add_field => {
"unixtimestamp" => "%{[records][properties][flows][flows][flowTuples][0]}"
"srcIp" => "%{[records][properties][flows][flows][flowTuples][1]}"
"destIp" => "%{[records][properties][flows][flows][flowTuples][2]}"
"srcPort" => "%{[records][properties][flows][flows][flowTuples][3]}"
"destPort" => "%{[records][properties][flows][flows][flowTuples][4]}"
"protocol" => "%{[records][properties][flows][flows][flowTuples][5]}"
"trafficflow" => "%{[records][properties][flows][flows][flowTuples][6]}"
"traffic" => "%{[records][properties][flows][flows][flowTuples][7]}"
"flowstate" => "%{[records][properties][flows][flows][flowTuples][8]}"
"packetsSourceToDest" => "%{[records][properties][flows][flows][flowTuples][9]}"
"bytesSentSourceToDest" => "%{[records][properties][flows][flows][flowTuples][10]}"
"packetsDestToSource" => "%{[records][properties][flows][flows][flowTuples][11]}"
"bytesSentDestToSource" => "%{[records][properties][flows][flows][flowTuples][12]}"
}
add_field => {
"time" => "%{[records][time]}"
"systemId" => "%{[records][systemId]}"
"category" => "%{[records][category]}"
"resourceId" => "%{[records][resourceId]}"
"operationName" => "%{[records][operationName]}"
"Version" => "%{[records][properties][Version]}"
"rule" => "%{[records][properties][flows][rule]}"
"mac" => "%{[records][properties][flows][flows][mac]}"
}
convert => {"unixtimestamp" => "integer"}
convert => {"srcPort" => "integer"}
convert => {"destPort" => "integer"}
add_field => { "message" => "%{Message}" }
}
date {
match => ["unixtimestamp" , "UNIX"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost"
index => "nsg-flow-logs"
}
}