amazon-web-services - 从 WAF/Kinesis 获取时间戳到 Elasticsearch

Question

我们正在尝试寻找如何将来自 AWS WAF/Kinesis Firehose 的时间戳转换为 Elasticsearch，使其类型为日期字段。创建索引映射时，它具有时间戳字段，但它是一个 type long，即使似乎有一个 type 选项epoch_millis（这就是数据的内容）。

Kibana 界面说使用映射 api 来更改字段类型，但我似乎无法弄清楚这一点。此处的示例显示了如何通过创建新索引来执行此操作，但 kinesis 正在创建/旋转索引，因此我们似乎需要一种修改默认值的方法。

该字段看起来像这样

  "timestamp": {
    "type": "long"
  },

完整的索引定义看起来像这样，但这些都是定期创建的，所以我们试图弄清楚如何更改默认值

  "waf-prod-2018-10-05": {
    "mappings": {
      "waf-prod": {
        "properties": {
          "action": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "formatVersion": {
            "type": "long"
          },
          "httpRequest": {
            "properties": {
              "args": { 
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "clientIp": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "country": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "headers": {
                "properties": {
                  "name": {
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "type": "keyword",
                        "ignore_above": 256
                      }
                    }
                  },
                  "value": {
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "type": "keyword",
                        "ignore_above": 256
                      }
                    }
                  }
                }
              },
              "httpMethod": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "httpVersion": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "uri": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          },
          "httpSourceId": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "httpSourceName": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "nonTerminatingMatchingRules": {
            "properties": {
              "action": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "ruleId": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          },
          "rateBasedRuleList": {
            "properties": {
              "limitKey": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "maxRateAllowed": {
                "type": "long"
              },
              "rateBasedRuleId": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          },
          "terminatingRuleId": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "terminatingRuleType": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "timestamp": {
            "type": "long"
          },
          "webaclId": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      }
    }
  },

score 0 · Accepted Answer

模板的代码取决于你的 ES 版本。如果您使用的是7.x版本。您需要在 properties 之前和之后删除字段（映射类型字段，在您的情况下由“waf-prod”调用）。您可以尝试这样做（例如，这是我对 ES 7.x 的配置）：

PUT _template/template_waf-logs
{
  "order": 0,
  "index_patterns": [
    "aws-waf-logs-detected-requests-*"
  ],
  "settings": {
    "index": {
      "number_of_shards": "1",
      "number_of_replicas": "0",
      "refresh_interval": "5s"
    }
  },
  "mappings": {
    "properties": {
      "httpRequest": {
        "properties": {
          "clientIp": {
            "type": "keyword",
            "fields": {
              "keyword": {
                "type": "ip"
              }
            }
          }
        }
      },
      "timestamp": {
        "type": "date",
        "format": "epoch_millis"
      }
    }
  }
}

在此处查看 AWS 的文档：https ://aws.amazon.com/blogs/security/how-to-analyze-aws-waf-logs-using-amazon-elasticsearch-service/
在此处使用 ES 社区的答案更新您的知识：https ://discuss.elastic.co/t/root-mapping-definition-has-unsupported-parameters-when-creating-custom-index/240690

添加映射类型的说明：https ://discuss.elastic.co/t/common-error-root-mapping-definition-has-unsupported-parameters/63300/2
ES版本解释：https ://stackoverflow.com/a/39290979/10746857

score -2 · Accepted Answer

只需将timestamp格式添加到映射中：

"timestamp": {
    "type": "date",
    "format": "epoch_millis"
}

amazon-web-services - 从 WAF/Kinesis 获取时间戳到 Elasticsearch

2 回答 2

Related

Reference