search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.13k stars 4.91k forks source link

[Packetbeat] How to distinguish flows from different interface device in log? #30334

Closed 492917328 closed 7 months ago

492917328 commented 2 years ago

Packetbeat supports capturing all messages sent or received by the server on which Packetbeat is installed:

packetbeat.interfaces.device: any

But when I set the output to elasticsearch, I found that the field interface.device does not exist on its log . In other words, How to distinguish netflow from different interface device in log?

botelastic[bot] commented 2 years ago

Thank you very much for creating this issue. However, we would kindly like to ask you to post all questions and issues on the Discuss forum first. In addition to awesome, knowledgeable community contributors, core Beats developers are on the forums every single day to help you out as well. So, your questions will reach a wider audience there, and if we confirm that there is a bug, then you can reopen this issue with the new information or open a new one.

elasticmachine commented 2 years ago

Pinging @elastic/siem (Team:SIEM)

elasticmachine commented 2 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

adriansr commented 2 years ago

According to ECS this information must reside under observer.ingress.interface.*

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!