mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-28 17:34:17 -04:00
8e35a6a846
Based on this: https://github.com/elastic/elasticsearch/blob/main/modules/ingest-common/src/main/java/org/elasticsearch/ingest/common/CommunityIdProcessor.java#L440-L451
98 lines
3.2 KiB
Text
98 lines
3.2 KiB
Text
[role="xpack"]
|
|
[[community-id-processor]]
|
|
=== Community ID processor
|
|
++++
|
|
<titleabbrev>Community ID</titleabbrev>
|
|
++++
|
|
|
|
Computes the Community ID for network flow data as defined in the
|
|
https://github.com/corelight/community-id-spec[Community ID Specification].
|
|
You can use a community ID to correlate network events related to a single
|
|
flow.
|
|
|
|
The community ID processor reads network flow data from related
|
|
{ecs-ref}[Elastic Common Schema (ECS)] fields by default. If you use the ECS, no
|
|
configuration is required.
|
|
|
|
[[community-id-options]]
|
|
.Community ID Options
|
|
[options="header"]
|
|
|======
|
|
| Name | Required | Default | Description
|
|
| `source_ip` | no | `source.ip` | Field containing the source IP address.
|
|
| `source_port` | no | `source.port` | Field containing the source port.
|
|
| `destination_ip` | no | `destination.ip` | Field containing the destination IP address.
|
|
| `destination_port` | no | `destination.port` | Field containing the destination port.
|
|
| `iana_number` | no | `network.iana_number` | Field containing the IANA number. The following protocol numbers are currently supported: `1` ICMP, `2` IGMP, `6` TCP, `17` UDP, `47` GRE, `58` ICMP IPv6, `88` EIGRP, `89` OSPF, `103` PIM, and `132` SCTP.
|
|
| `icmp_type` | no | `icmp.type` | Field containing the ICMP type.
|
|
| `icmp_code` | no | `icmp.code` | Field containing the ICMP code.
|
|
| `transport` | no | `network.transport` | Field containing the transport protocol.
|
|
Used only when the `iana_number` field is not present.
|
|
| `target_field` | no | `network.community_id` | Output field for the community ID.
|
|
| `seed` | no | `0` | Seed for the community ID hash. Must be between
|
|
0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as
|
|
a staging and production network that use the same addressing scheme.
|
|
| `ignore_missing` | no | `true` | If `true` and any required fields are missing,
|
|
the processor quietly exits without modifying the document.
|
|
|
|
include::common-options.asciidoc[]
|
|
|======
|
|
|
|
Here is an example definition of the community ID processor:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"description" : "...",
|
|
"processors" : [
|
|
{
|
|
"community_id": {
|
|
}
|
|
}
|
|
]
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
When the above processor executes on the following document:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
{
|
|
"_source": {
|
|
"source": {
|
|
"ip": "123.124.125.126",
|
|
"port": 12345
|
|
},
|
|
"destination": {
|
|
"ip": "55.56.57.58",
|
|
"port": 80
|
|
},
|
|
"network": {
|
|
"transport": "TCP"
|
|
}
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|
|
|
|
It produces this result:
|
|
|
|
[source,js]
|
|
--------------------------------------------------
|
|
"_source" : {
|
|
"destination" : {
|
|
"port" : 80,
|
|
"ip" : "55.56.57.58"
|
|
},
|
|
"source" : {
|
|
"port" : 12345,
|
|
"ip" : "123.124.125.126"
|
|
},
|
|
"network" : {
|
|
"community_id" : "1:9qr9Z1LViXcNwtLVOHZ3CL8MlyM=",
|
|
"transport" : "TCP"
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
// NOTCONSOLE
|