接受90端口的netflow日志,解析netflow中的源IP、端口、目的IP、端口,并输出syslog到任意端口
netflow日志格式:
{ "netflow" => { "last_switched" => "2020-05-28T02:39:13.781Z", "dst_as" => 0, "in_bytes" => 183, "ipv4_src_addr" => "120.92.11.28", #源IP "protocol" => 6, "ipv4_next_hop" => "172.16.10.10", "input_snmp" => 1, "version" => 9, "flowset_id" => 265, "src_as" => 0, "tcp_flags" => 24, "first_switched" => "2020-05-28T02:39:13.781Z", "flow_seq_num" => 2488, "l4_src_port" => 7823, # 源端口 "output_snmp" => 2, "direction" => 0, "in_pkts" => 1, "ipv4_dst_addr" => "192.168.80.15", #目的IP "src_mask" => 0, "dst_mask" => 16, "flow_sampler_id" => 0, "src_tos" => 0, "l4_dst_port" => 53367 #目的端口 }, "host" => "88.88.88.88", "@timestamp" => 2020-05-28T02:39:37.000Z, "@version" => "1" } 详细字段说明: https://www.ibm.com/support/knowledgecenter/en/SSCVHB_1.2.2/collector/cnpi_collector_v9_fiels_types.html 安装syslog输出插件 bin/logstash-plugin install logstash-output-syslog
input {
udp {
port => 90
codec => netflow
}
}
filter{
mutate {
rename => { "[netflow][ipv4_src_addr]" => "src_ip"
"[netflow][l4_src_port]"=> "src_port"
"[netflow][ipv4_dst_addr]"=>"dst_ip"
"[netflow][l4_dst_port]"=>"dst_port"
}
remove_field => ["netflow"]
}
}
output {
# stdout{
# codec => rubydebug
# }
syslog {
host => "192.168.100.123"
port => 16060
}
}