set translate refresh_behaviour to replace

robcowart · Sep 17, 2018 · 69fe41a · 69fe41a
1 parent f66d3c4
commit 69fe41a
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf b/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf
@@ -510,6 +510,7 @@ filter {
               field => "[node][ipaddr]"
               destination => "[@metadata][appid_srctype]"
               fallback => "${ELASTIFLOW_DEFAULT_APPID_SRCTYPE:__UNKNOWN}"
+              refresh_behaviour => "replace"
             }
 
             if [@metadata][appid_srctype] == "fortinet" {
@@ -532,6 +533,7 @@ filter {
                 field => "[@metadata][appid_key]"
                 destination => "[flow][application]"
                 fallback => "%{[netflow][application_id]}"
+                refresh_behaviour => "replace"
               }
               mutate {
                 id => "netflow_9_remove_app_id_unknown"
@@ -560,6 +562,7 @@ filter {
             destination => "[netflow][rb_fe_type]"
             override => true
             fallback => "undefined (%{[netflow][rb_fe_type]})"
+            refresh_behaviour => "replace"
           }
         }
         if [netflow][rb_passthru_reason] {
@@ -570,6 +573,7 @@ filter {
             destination => "[netflow][rb_passthru_reason]"
             override => true
             fallback => "undefined (%{[netflow][rb_passthru_reason]})"
+            refresh_behaviour => "replace"
           }
         }
         if [netflow][rb_wan_visibility] {
@@ -580,6 +584,7 @@ filter {
             destination => "[netflow][rb_wan_visibility]"
             override => true
             fallback => "undefined (%{[netflow][rb_wan_visibility]})"
+            refresh_behaviour => "replace"
           }
         }
         if [netflow][rb_cfe_tcp_port] {
@@ -589,6 +594,7 @@ filter {
             field => "[netflow][rb_cfe_tcp_port]"
             destination => "[netflow][rb_cfe_tcp_port_name]"
             fallback => "__UNKNOWN"
+            refresh_behaviour => "replace"
           }
           if [netflow][rb_cfe_tcp_port_name] == "__UNKNOWN" {
             mutate {
@@ -609,6 +615,7 @@ filter {
             field => "[netflow][rb_outer_tcp_port]"
             destination => "[netflow][rb_outer_tcp_port_name]"
             fallback => "__UNKNOWN"
+            refresh_behaviour => "replace"
           }
           if [netflow][rb_outer_tcp_port_name] == "__UNKNOWN" {
             mutate {
@@ -629,6 +636,7 @@ filter {
             field => "[netflow][rb_sfe_tcp_port]"
             destination => "[netflow][rb_sfe_tcp_port_name]"
             fallback => "__UNKNOWN"
+            refresh_behaviour => "replace"
           }
           if [netflow][rb_sfe_tcp_port_name] == "__UNKNOWN" {
             mutate {
@@ -660,6 +668,7 @@ filter {
           field => "[node][ipaddr]"
           destination => "[flow][sampling_interval]"
           fallback => "0"
+          refresh_behaviour => "replace"
         }
         mutate {
           convert => { "[flow][sampling_interval]" => "integer" }

diff --git a/logstash/elastiflow/conf.d/20_filter_30_ipfix.logstash.conf b/logstash/elastiflow/conf.d/20_filter_30_ipfix.logstash.conf
@@ -403,6 +403,7 @@ filter {
             field => "[node][ipaddr]"
             destination => "[@metadata][appid_srctype]"
             fallback => "${ELASTIFLOW_DEFAULT_APPID_SRCTYPE:__UNKNOWN}"
+            refresh_behaviour => "replace"
           }
 
           if [@metadata][appid_srctype] == "fortinet" {
@@ -425,6 +426,7 @@ filter {
               field => "[@metadata][appid_key]"
               destination => "[flow][application]"
               fallback => "%{[ipfix][applicationId]}"
+              refresh_behaviour => "replace"
             }
             mutate {
               id => "ipfix_remove_appid_unknown"

diff --git a/logstash/elastiflow/conf.d/20_filter_40_sflow.logstash.conf b/logstash/elastiflow/conf.d/20_filter_40_sflow.logstash.conf
@@ -167,6 +167,7 @@ filter {
           destination => "[sflow][source_id_type]"
           fallback => "UNKNOWN(%{[sflow][source_id_type]})"
           override => true
+          refresh_behaviour => "replace"
         }
       }
 
@@ -298,6 +299,7 @@ filter {
           destination => "[sflow][protocol]"
           fallback => "UNKNOWN(%{[sflow][protocol]})"
           override => true
+          refresh_behaviour => "replace"
         }
       }
     } else {

diff --git a/logstash/elastiflow/conf.d/20_filter_90_post_process.logstash.conf b/logstash/elastiflow/conf.d/20_filter_90_post_process.logstash.conf
@@ -253,6 +253,7 @@ filter {
                 field => "[flow][dst_addr]"
                 destination => "[@metadata][dst_whitelist]"
                 fallback => "false"
+                refresh_behaviour => "replace"
               }
               # If not whitelisted, lookup the IP reputation.
               if [@metadata][dst_whitelist] == "false" {
@@ -261,6 +262,7 @@ filter {
                   dictionary_path => "${ELASTIFLOW_DICT_PATH:/etc/logstash/elastiflow/dictionaries}/ip_rep_basic.yml"
                   field => "[flow][dst_addr]"
                   destination => "[@metadata][dst_rep_label]"
+                  refresh_behaviour => "replace"
                 }
                 # Parse the IP reputation lable into tags.
                 if [@metadata][dst_rep_label] {
@@ -394,6 +396,7 @@ filter {
                 field => "[flow][src_addr]"
                 destination => "[@metadata][src_whitelist]"
                 fallback => "false"
+                refresh_behaviour => "replace"
               }
               # If not whitelisted, lookup the IP reputation.
               if [@metadata][src_whitelist] == "false" {
@@ -402,6 +405,7 @@ filter {
                   dictionary_path => "${ELASTIFLOW_DICT_PATH:/etc/logstash/elastiflow/dictionaries}/ip_rep_basic.yml"
                   field => "[flow][src_addr]"
                   destination => "[@metadata][src_rep_label]"
+                  refresh_behaviour => "replace"
                 }
                 # Parse the IP reputation lable into tags.
                 if [@metadata][src_rep_label] {
@@ -464,6 +468,7 @@ filter {
               field => "[flow][src_port]"
               destination => "[flow][src_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
           if [flow][dst_port] {
@@ -473,6 +478,7 @@ filter {
               field => "[flow][dst_port]"
               destination => "[flow][dst_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
         } else if [flow][ip_protocol] == 17 { # UDP
@@ -483,6 +489,7 @@ filter {
               field => "[flow][src_port]"
               destination => "[flow][src_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
           if [flow][dst_port] {
@@ -492,6 +499,7 @@ filter {
               field => "[flow][dst_port]"
               destination => "[flow][dst_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
         } else if [flow][ip_protocol] == 132 { # SCTP
@@ -502,6 +510,7 @@ filter {
               field => "[flow][src_port]"
               destination => "[flow][src_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
           if [flow][dst_port] {
@@ -511,6 +520,7 @@ filter {
               field => "[flow][dst_port]"
               destination => "[flow][dst_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
         } else if [flow][ip_protocol] == 33 { # DCCP
@@ -521,6 +531,7 @@ filter {
               field => "[flow][src_port]"
               destination => "[flow][src_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
           if [flow][dst_port] {
@@ -530,6 +541,7 @@ filter {
               field => "[flow][dst_port]"
               destination => "[flow][dst_port_name]"
               fallback => "__UNKNOWN"
+              refresh_behaviour => "replace"
             }
           }
         } else {
@@ -606,6 +618,7 @@ filter {
           destination => "[flow][ip_protocol]"
           fallback => "UNKNOWN(%{[flow][ip_protocol]})"
           override => true
+          refresh_behaviour => "replace"
         }
 
       # Set final value of port name fields.
@@ -870,6 +883,7 @@ filter {
         field => "[@metadata][in_if_key]"
         destination => "[flow][input_ifname]"
         fallback => "index: %{[flow][input_snmp]}"
+        refresh_behaviour => "replace"
       }
     }
     if [flow][output_snmp] {
@@ -883,6 +897,7 @@ filter {
         field => "[@metadata][out_if_key]"
         destination => "[flow][output_ifname]"
         fallback => "index: %{[flow][output_snmp]}"
+        refresh_behaviour => "replace"
       }
     }