netflow

  1. input {
  2.     udp {
  3.       port => 9995
  4.       codec => netflow {
  5.         definitions => "/home/administrator/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml"
  6.         versions => [5]
  7.       }
  8.     }
  9.   }
  11.   output {
  12.     stdout { codec => rubydebug }
  13.     if ( [host] =~ "10\.1\.1[12]\.1" ) {
  14.       elasticsearch {
  15.         index => "logstash_netflow5-%{+YYYY.MM.dd}"
  16.         host => "localhost"
  17.       }
  18.     } else {
  19.       elasticsearch {
  20.         index => "logstash-%{+YYYY.MM.dd}"
  21.         host => "localhost"
  22.       }
  23.     }
  24.   }
  1. curl -XPUT localhost:9200/_template/logstash_netflow5 -d '{
  2.     "template" : "logstash_netflow5-*",
  3.     "settings": {
  4.       "index.refresh_interval": "5s"
  5.     },
  6.     "mappings" : {
  7.       "_default_" : {
  8.         "_all" : {"enabled" : false},
  9.         "properties" : {
  10.           "@version": { "index": "analyzed", "type": "integer" },
  11.           "@timestamp": { "index": "analyzed", "type": "date" },
  12.           "netflow": {
  13.             "dynamic": true,
  14.             "type": "object",
  15.             "properties": {
  16.               "version": { "index": "analyzed", "type": "integer" },
  17.               "flow_seq_num": { "index": "not_analyzed", "type": "long" },
  18.               "engine_type": { "index": "not_analyzed", "type": "integer" },
  19.               "engine_id": { "index": "not_analyzed", "type": "integer" },
  20.               "sampling_algorithm": { "index": "not_analyzed", "type": "integer" },
  21.               "sampling_interval": { "index": "not_analyzed", "type": "integer" },
  22.               "flow_records": { "index": "not_analyzed", "type": "integer" },
  23.               "ipv4_src_addr": { "index": "analyzed", "type": "ip" },
  24.               "ipv4_dst_addr": { "index": "analyzed", "type": "ip" },
  25.               "ipv4_next_hop": { "index": "analyzed", "type": "ip" },
  26.               "input_snmp": { "index": "not_analyzed", "type": "long" },
  27.               "output_snmp": { "index": "not_analyzed", "type": "long" },
  28.               "in_pkts": { "index": "analyzed", "type": "long" },
  29.               "in_bytes": { "index": "analyzed", "type": "long" },
  30.               "first_switched": { "index": "not_analyzed", "type": "date" },
  31.               "last_switched": { "index": "not_analyzed", "type": "date" },
  32.               "l4_src_port": { "index": "analyzed", "type": "long" },
  33.               "l4_dst_port": { "index": "analyzed", "type": "long" },
  34.               "tcp_flags": { "index": "analyzed", "type": "integer" },
  35.               "protocol": { "index": "analyzed", "type": "integer" },
  36.               "src_tos": { "index": "analyzed", "type": "integer" },
  37.               "src_as": { "index": "analyzed", "type": "integer" },
  38.               "dst_as": { "index": "analyzed", "type": "integer" },
  39.               "src_mask": { "index": "analyzed", "type": "integer" },
  40.               "dst_mask": { "index": "analyzed", "type": "integer" }
  41.             }
  42.           }
  43.         }
  44.       }
  45.     }
  46.   }'