Phil Hagen

icon indicating an email [email protected]

icon company Lewes Technology Consulting, LLC icon location Lewes, DE

Results 52 issues of Phil Hagen

Single stanza for ES outputs

Multiple ES outputs results in resource overuse, per Elastic's guidance. Merge all ES outputs to one, using a variable for the index name, e.g. `index => "%{something}-%{+YYYY.MM.dd}"`

Create Community ID field for NetFlow

4 comment

See https://github.com/corelight/community-id-spec

awaiting-validation

add tests to ruby scripts

all ruby scripts used by Logstash parsers need tests added

consider EvtxToElk

3 comment

See https://dragos.com/blog/20180717EvtxToElk.html

create tag for RFC1918, multicast, etc

3 comment

use the `logstash-filter-cidr` plugin

Create producer/consumer ratio

likely with a scripted field

add RFC5424 (IETF) syslog format handling

8 comment

LS provides separate RFC5424 grok parsers[1], meaning conditional support is needed for that, in conjunction with necessary field normalization. [1] https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/linux-syslog

add time frame to sof-elk_clear.py

1 comment

add command line option to clear "last {x} {interval}" records from an index, or a specific date range. also, a means of deleting all EXCEPT the "last {x} {interval}" records.

add dynamic ram allocation for Logstash

same as with ES - need to identify good ratios and reserve overhead first

Document parser creation process

documentation