frack113
44 lines
1.0 KiB
YAML
44 lines
1.0 KiB
YAML
title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- es-rule
|
|
- es-rule-eql
|
|
- es-eql
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
|
|
defaultindex: filebeat-*
|
|
|
|
fieldmappings:
|
|
# iptable
|
|
message: log.original
|
|
IN: iptables.input_device
|
|
OUT: iptables.output_device
|
|
MAC: destination.mac
|
|
SRC: source.ip
|
|
SPT: source.port
|
|
DST: destination.ip
|
|
DPT: destination.port
|
|
SEQ: iptables.tcp.seq
|
|
ACK: iptables.tcp.ack
|
|
PROTO: network.transport
|
|
# rule network
|
|
action: event.action
|
|
dst_ip: destination.ip
|
|
dst_port: destination.port
|
|
src_ip: source.ip
|
|
answer: dns.answers.name
|
|
c-dns: dns.question.name
|
|
dns_query: dns.question.name
|
|
parent_domain: dns.question.registered_domain
|
|
query: dns.question.name
|
|
QueryName: dns.question.name
|
|
r-dns: dns.question.name
|
|
record_type: dns.type
|
|
response: dns.answers |