Elasticsearch - store IP in IP format

CSIRT-MU / Stream4Flow

A framework for the real-time network traffic analysis based on world-leading technologies for distributed stream processing, network traffic monitoring, and visualization.

https://csirt.muni.cz/?lang=en

MIT License

101 stars 36 forks source link

Elasticsearch - store IP in IP format #4

Closed tomjirsa closed 7 years ago

tomjirsa commented 7 years ago

The IP addressed are stored as a string in elasticsearch. Modify the Logstash configuration to store in IPv4 format. The goal si a possibility of queries on cider range.

Proposed solution: http://www.pipebug.com/elasticsearch-logstash-kibana-4-mapping-4.html

tomjirsa commented 7 years ago

modified template accordingly to the link, commited - 295b58b47fc96f5b61353f1d61bbe8c40b450af2

Supported fields stored as IP in kibana:

src_ipv4
dst_ipv4

Example query in kibana on range: src_ipv4:"236.4.180.0/29"