ufw.log logstash filter and elasticsearch mapping

1. =============/etc/logstash/conf.d/ufw.conf=======================
2.  
3. input {
4. file {
5. type => "ufw"
6. start_position => "beginning"
7. path => "/var/log/ufw.log"
8. }
9. }
10. filter {
11. if [type] == "ufw" {
12. grok {
13. match => ["message", "%{SYSLOGTIMESTAMP: timestamp}\s%{WORD:host}\skernel:\s\[%{NUMBER:kernel_timestamp}\]\s\[UFW BLOCK\]\sIN=%{WORD:adapter}\sOUT=\sMAC=%{MAC:dst_mac}:%{MAC:src_mac}:(?<ethertype>\d+:\d+)\sSRC=%{IP:src_ip}\sDST=%{IP:dst_ip}\s%{GREEDYDATA:packet_details}"]
14. }
15. geoip {
16. source => "src_ip"
17. }
18. }
19. }
20.  
21. ============= Elasticsearch Template ==========================
22.  
23. curl -XPUT 'localhost:9200/_template/template_ufw?pretty' -H 'Content-Type: application/json' -d'
24. {
25. "index_patterns": ["ufw*"],
26. "settings": {
27. "refresh_interval" : "10s",
28. "number_of_shards" : "1"
29. },
30. "mappings" : {
31. "doc" : {
32. "properties" : {
33. "timestamp" : {
34. "type" : "date"
35. },
36. "kernel_timestamp" : {
37. "type" : "number"
38. },
39. "@version" : {
40. "type" : "keyword"
41. },
42. "host" : {
43. "type" : "keyword"
44. },
45. "adapter" : {
46. "type" : "keyword"
47. },
48. "src_ip" : {
49. "type" : "ip"
50. },
51. "src_mac" : {
52. "type" : "keyword"
53. },
54. "dst_mac" : {
55. "type" : "keyword"
56. },
57. "ethertype" : {
58. "type" : "keyword"
59. },
60. "dst_ip" : {
61. "type" : "ip"
62. },
63. "geoip" : {
64. "dynamic" : "true",
65. "properties" : {
66. "city_name" : {
67. "type" : "keyword"
68. },
69. "continent_code" : {
70. "type" : "keyword"
71. },
72. "country_code2" : {
73. "type" : "keyword"
74. },
75. "country_code3" : {
76. "type" : "keyword"
77. },
78. "country_name" : {
79. "type" : "keyword"
80. },
81. "dma_code" : {
82. "type" : "long"
83. },
84. "ip" : {
85. "type" : "ip"
86. },
87. "latitude" : {
88. "type" : "half_float"
89. },
90. "location" : {
91. "type" : "geo_point"
92. },
93. "longitude" : {
94. "type" : "half_float"
95. },
96. "postal_code" : {
97. "type" : "keyword"
98. },
99. "region_code" : {
100. "type" : "keyword"
101. },
102. "region_name" : {
103. "type" : "keyword"
104. },
105. "timezone" : {
106. "type" : "keyword"
107. }
108. }
109. },
110. "packet_details" : {
111. "type" : "text"
112. }
113. }
114. }
115. }
116. }
117. }'