Merge pull request #262 from robcowart/v3.x-dev

fix netflow app id regression
robcowart · Feb 21, 2019 · b430b70 · b430b70
2 parents 5a96763 + fb32b1b
commit b430b70
Showing 1 changed file with 14 additions and 14 deletions.
diff --git a/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf b/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf
@@ -484,11 +484,11 @@ filter {
         }
 
       # Populate normalized ElastiFlow fields for applications if available.
-        if [netflow][application_name] {
+        if [netflow][app_name] {
           mutate {
             id => "netflow_9_add_app_from_name"
-            rename => { "[netflow][application_name]" => "[flow][application]" }
-            remove_field => [ "[netflow][application_id]" ]
+            rename => { "[netflow][app_name]" => "[flow][application]" }
+            remove_field => [ "[netflow][app_id]" ]
           }
         } else if [netflow][ntop_l7_proto_name] {
           mutate {
@@ -500,15 +500,15 @@ filter {
             id => "netflow_9_add_app_from_pan_app"
             rename => { "[netflow][pan_app]" => "[flow][application]" }
           }
-        } else if [netflow][application_id] {
-          if [netflow][application_id] =~ /^.*:[0-9]+$/ {
+        } else if [netflow][app_id] {
+          if [netflow][app_id] =~ /^.*:[0-9]+$/ {
             mutate {
               id => "netflow_9_convert_appid_to_v4"
-              gsub => [ "[netflow][application_id]", ":", ".." ]
+              gsub => [ "[netflow][app_id]", ":", ".." ]
             }
           }
 
-          if [netflow][application_id] != "0..0" {
+          if [netflow][app_id] != "0..0" {
             translate {
               id => "netflow_9_get_appid_srctype"
               dictionary_path => "${ELASTIFLOW_DICT_PATH:/etc/logstash/elastiflow/dictionaries}/app_id.srctype.yml"
@@ -519,41 +519,41 @@ filter {
             }
 
             if [@metadata][appid_srctype] == "fortinet" {
-              if [netflow][application_id] =~ /^[0-9]+\.\.[0-9]+\.\.[0-9]+$/ {
+              if [netflow][app_id] =~ /^[0-9]+\.\.[0-9]+\.\.[0-9]+$/ {
                 mutate {
                   id => "netflow_9_normalize_fortinet_appids"
-                  gsub => [ "[netflow][application_id]", "[0-9]+\.\.[0-9]+\.\.", "0.." ]
+                  gsub => [ "[netflow][app_id]", "[0-9]+\.\.[0-9]+\.\.", "0.." ]
                 }
               }
             }
 
             if [@metadata][appid_srctype] != "__UNKNOWN" {
               mutate {
                 id => "netflow_9_set_appid_key"
-                add_field => { "[@metadata][appid_key]" => "%{[@metadata][appid_srctype]}__%{[netflow][application_id]}" }
+                add_field => { "[@metadata][appid_key]" => "%{[@metadata][appid_srctype]}__%{[netflow][app_id]}" }
               }
               translate {
                 id => "netflow_9_add_app_from_id_srctype"
                 dictionary_path => "${ELASTIFLOW_DICT_PATH:/etc/logstash/elastiflow/dictionaries}/app_id.yml"
                 field => "[@metadata][appid_key]"
                 destination => "[flow][application]"
-                fallback => "%{[netflow][application_id]}"
+                fallback => "%{[netflow][app_id]}"
                 refresh_behaviour => "replace"
               }
               mutate {
                 id => "netflow_9_remove_app_id_unknown"
-                remove_field => [ "[netflow][application_id]" ]
+                remove_field => [ "[netflow][app_id]" ]
               }
             } else {
               mutate {
                 id => "netflow_9_add_app_from_id"
-                rename => { "[netflow][application_id]" => "[flow][application]" }
+                rename => { "[netflow][app_id]" => "[flow][application]" }
               }
             }
           } else {
             mutate {
               id => "netflow_9_remove_app_id"
-              remove_field => [ "[netflow][application_id]" ]
+              remove_field => [ "[netflow][app_id]" ]
             }
           }
         }