Keep original event in event.original

Network Flows
1

Hello

Is is possible to keep the original flow event in the field event.original?

Best regards

Kåre

2

Hi Kåre,

I’m afraid I don’t understand what you are asking. Can you give a specific example or provide a screen shot to help clarify?

Thanks,
Dexter Turner

3

Hello Dexter,

Lets says that elastiflow receives this event:
{
“event”: {
“category”: “network”,
“kind”: “event”,
“action”: “netflow”,
“outcome”: “success”,
“dataset”: “netflow”
},
“source”: {
“ip”: “192.168.1.10”,
“port”: 53213,
“mac”: “00:1A:2B:3C:4D:5E”,
“bytes”: 1050,
“packets”: 5
},
“destination”: {
“ip”: “192.168.2.20”,
“port”: 443,
“mac”: “00:1A:2B:3C:4D:5F”,
“bytes”: 2080,
“packets”: 7
},
“network”: {
“protocol”: “tcp”,
“transport”: “tcp”,
“direction”: “outbound”,
“bytes”: 3130,
“packets”: 12
},
“flow”: {
“id”: “12345”,
“start”: “2024-10-29T12:00:00Z”,
“end”: “2024-10-29T12:05:00Z”,
“duration”: 300
},
“observer”: {
“type”: “netflow”,
“ip”: “192.168.1.1”,
“hostname”: “router1”,
“serial_number”: “123456789”
},
“ecs”: {
“version”: “1.11.0”
}
}

I would like the option to store that event in the field event.original along with the all the other fields that elastiflow creates so when I look in elastic search I see:

client.ip: 192.168.1.10
all elastiflow fields
event.original : {
“event”: {
“category”: “network”,
“kind”: “event”,
“action”: “netflow”,
“outcome”: “success”,
“dataset”: “netflow”
},
“source”: {
“ip”: “192.168.1.10”,
“port”: 53213,
“mac”: “00:1A:2B:3C:4D:5E”,
“bytes”: 1050,
“packets”: 5
},
“destination”: {
“ip”: “192.168.2.20”,
“port”: 443,
“mac”: “00:1A:2B:3C:4D:5F”,
“bytes”: 2080,
“packets”: 7
},
“network”: {
“protocol”: “tcp”,
“transport”: “tcp”,
“direction”: “outbound”,
“bytes”: 3130,
“packets”: 12
},
“flow”: {
“id”: “12345”,
“start”: “2024-10-29T12:00:00Z”,
“end”: “2024-10-29T12:05:00Z”,
“duration”: 300
},
“observer”: {
“type”: “netflow”,
“ip”: “192.168.1.1”,
“hostname”: “router1”,
“serial_number”: “123456789”
},
“ecs”: {
“version”: “1.11.0”
}
}

Hopes this makes sense

Best regards

Kåre

4

I think there may be a misunderstanding of what the ElastiFlow collector receives. Flow records are an array of encoded bytes, such as…

image
image428×168 14.5 KB

event.original is intended to hold the “Raw text message of entire event.” A flow record (Netflow, IPFIX, sFlow) never exists in the form of a raw text message, and thus there is no value to store in this field.

5

Hi Rob,

Thank you for the clarification :slight_smile:

Best

Kåre

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.