Example: Netflow to Elastic
input {
netflowv9 {
port => 2055
}
}
filter {
ipproto {
source_field => protocol
target_field => "protocol_name"
}
geoip {
field => ipv4_src_addr
}
geoip {
field => ipv4_dst_addr
}
}
output {
elasticsearch {
host => 127.0.0.1
port => 9200
bulk_limit => 1000
bulk_timeout => 100
index_prefix => netflow
data_type => netflow
}
}
{
"template" : "netflow*",
"settings" : {
"index.refresh_interval" : "15s",
"number_of_shards" : 1,
"number_of_replicas" : 0
},
"mappings" : {
"_default_" : {
"_all" : {"enabled" : true, "omit_norms" : true},
"dynamic_templates" : [
{
"geo_fields" : {
"mapping": {
"type": "geo_point"
},
"match" : "*_lonlat"
}
}, {
"ip_fields" : {
"mapping" : {
"type" : "ip"
},
"match" : "ipv4_*"
}
}, {
"date_fields" : {
"mapping" : {
"type" : "date"
},
"match" : "*_switched"
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fields" : {
"raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
}
}
}
} ],
"properties" : {
"@version": { "type": "string", "index": "not_analyzed" }
}
}
}
}
curl -XPUT localhost:9200/_template/netflow_template --data @netflow_template.json