westerterp/cisco-fw-mappings.sh

## cisco-fw-mappings.sh
#!/bin/sh

#
# Modified version of https://jackhanington.com/blog/2015/06/16/send-cisco-asa-syslogs-to-elasticsearch-using-logstash/
# Adapted to work with ElasticSearch 6
#

curl --header "content-type: application/JSON" -XPUT http://127.0.0.1:9200/_template/logstash_per_index -d '
{
    "template" : "logstash*",
    "mappings" : {
      "cisco-fw" : {
         "properties": {
            "@timestamp":{"type":"date","format":"dateOptionalTime"},
            "@version":{"type":"keyword"},
            "action":{"type":"text"},
            "bytes":{"type":"long"},
            "cisco_message":{"type":"text"},
            "ciscotag":{"type":"keyword"},
            "connection_count":{"type":"long"},
            "connection_count_max":{"type":"long"},
            "connection_id":{"type":"text"},
            "direction":{"type":"text"},
            "dst_interface":{"type":"text"},
            "dst_ip":{"type":"text"},
            "dst_mapped_ip":{"type":"ip"},
            "dst_mapped_port":{"type":"long"},
            "dst_port":{"type":"long"},
            "duration":{"type":"text"},
            "err_dst_interface":{"type":"text"},
            "err_dst_ip":{"type":"ip"},
            "err_icmp_code":{"type":"text"},
            "err_icmp_type":{"type":"text"},
            "err_protocol":{"type":"text"},
            "err_src_interface":{"type":"text"},
            "err_src_ip":{"type":"ip"},
            "geoip":{
               "properties":{
                  "area_code":{"type":"long"},
                  "asn":{"type":"keyword"},
                  "city_name":{"type":"keyword"},
                  "continent_code":{"type":"text"},
                  "country_code2":{"type":"text"},
                  "country_code3":{"type":"text"},
                  "country_name":{"type":"keyword"},
                  "dma_code":{"type":"long"},
                  "ip":{"type":"ip"},
                  "latitude":{"type":"double"},
                  "location":{"type":"geo_point"},
                  "longitude":{"type":"double"},
                  "number":{"type":"text"},
                  "postal_code":{"type":"text"},
                  "real_region_name":{"type":"keyword"},
                  "region_name":{"type":"keyword"},
                  "timezone":{"type":"text"}
               }
            },
            "group":{"type":"text"},
            "hashcode1": {"type":"text"},
            "hashcode2": {"type":"text"},
            "host":{"type":"text"},
            "icmp_code":{"type":"text"},
            "icmp_code_xlated":{"type":"text"},
            "icmp_seq_num":{"type":"text"},
            "icmp_type":{"type":"text"},
            "interface":{"type":"text"},
            "is_local_natted":{"type":"text"},
            "is_remote_natted":{"type":"text"},
            "message":{"type":"text"},
            "orig_dst_ip":{"type":"ip"},
            "orig_dst_port":{"type":"long"},
            "orig_protocol":{"type":"text"},
            "orig_src_ip":{"type":"ip"},
            "orig_src_port":{"type":"long"},
            "policy_id":{"type":"text"},
            "protocol":{"type":"text"},
            "reason":{"type":"text"},
            "seq_num":{"type":"long"},
            "spi":{"type":"text"},
            "src_interface":{"type":"text"},
            "src_ip":{"type":"ip"},
            "src_mapped_ip":{"type":"ip"},
            "src_mapped_port":{"type":"long"},
            "src_port":{"type":"long"},
            "src_xlated_interface":{"type":"text"},
            "src_xlated_ip":{"type":"ip"},
            "syslog_facility":{"type":"text"},
            "syslog_facility_code":{"type":"long"},
            "syslog_pri":{"type":"text"},
            "syslog_severity":{"type":"text"},
            "syslog_severity_code":{"type":"long"},
            "tags":{"type":"text"},
            "tcp_flags":{"type":"text"},
            "timestamp":{"type":"text"},
            "tunnel_type":{"type":"text"},
            "type":{"type":"text"},
            "user":{"type":"text"},
            "xlate_type":{"type":"text"}
      }
    }
  }
}'
	#!/bin/sh

	#
	# Modified version of https://jackhanington.com/blog/2015/06/16/send-cisco-asa-syslogs-to-elasticsearch-using-logstash/
	# Adapted to work with ElasticSearch 6
	#

	curl --header "content-type: application/JSON" -XPUT http://127.0.0.1:9200/_template/logstash_per_index -d '
	{
	"template" : "logstash*",
	"mappings" : {
	"cisco-fw" : {
	"properties": {
	"@timestamp":{"type":"date","format":"dateOptionalTime"},
	"@version":{"type":"keyword"},
	"action":{"type":"text"},
	"bytes":{"type":"long"},
	"cisco_message":{"type":"text"},
	"ciscotag":{"type":"keyword"},
	"connection_count":{"type":"long"},
	"connection_count_max":{"type":"long"},
	"connection_id":{"type":"text"},
	"direction":{"type":"text"},
	"dst_interface":{"type":"text"},
	"dst_ip":{"type":"text"},
	"dst_mapped_ip":{"type":"ip"},
	"dst_mapped_port":{"type":"long"},
	"dst_port":{"type":"long"},
	"duration":{"type":"text"},
	"err_dst_interface":{"type":"text"},
	"err_dst_ip":{"type":"ip"},
	"err_icmp_code":{"type":"text"},
	"err_icmp_type":{"type":"text"},
	"err_protocol":{"type":"text"},
	"err_src_interface":{"type":"text"},
	"err_src_ip":{"type":"ip"},
	"geoip":{
	"properties":{
	"area_code":{"type":"long"},
	"asn":{"type":"keyword"},
	"city_name":{"type":"keyword"},
	"continent_code":{"type":"text"},
	"country_code2":{"type":"text"},
	"country_code3":{"type":"text"},
	"country_name":{"type":"keyword"},
	"dma_code":{"type":"long"},
	"ip":{"type":"ip"},
	"latitude":{"type":"double"},
	"location":{"type":"geo_point"},
	"longitude":{"type":"double"},
	"number":{"type":"text"},
	"postal_code":{"type":"text"},
	"real_region_name":{"type":"keyword"},
	"region_name":{"type":"keyword"},
	"timezone":{"type":"text"}
	}
	},
	"group":{"type":"text"},
	"hashcode1": {"type":"text"},
	"hashcode2": {"type":"text"},
	"host":{"type":"text"},
	"icmp_code":{"type":"text"},
	"icmp_code_xlated":{"type":"text"},
	"icmp_seq_num":{"type":"text"},
	"icmp_type":{"type":"text"},
	"interface":{"type":"text"},
	"is_local_natted":{"type":"text"},
	"is_remote_natted":{"type":"text"},
	"message":{"type":"text"},
	"orig_dst_ip":{"type":"ip"},
	"orig_dst_port":{"type":"long"},
	"orig_protocol":{"type":"text"},
	"orig_src_ip":{"type":"ip"},
	"orig_src_port":{"type":"long"},
	"policy_id":{"type":"text"},
	"protocol":{"type":"text"},
	"reason":{"type":"text"},
	"seq_num":{"type":"long"},
	"spi":{"type":"text"},
	"src_interface":{"type":"text"},
	"src_ip":{"type":"ip"},
	"src_mapped_ip":{"type":"ip"},
	"src_mapped_port":{"type":"long"},
	"src_port":{"type":"long"},
	"src_xlated_interface":{"type":"text"},
	"src_xlated_ip":{"type":"ip"},
	"syslog_facility":{"type":"text"},
	"syslog_facility_code":{"type":"long"},
	"syslog_pri":{"type":"text"},
	"syslog_severity":{"type":"text"},
	"syslog_severity_code":{"type":"long"},
	"tags":{"type":"text"},
	"tcp_flags":{"type":"text"},
	"timestamp":{"type":"text"},
	"tunnel_type":{"type":"text"},
	"type":{"type":"text"},
	"user":{"type":"text"},
	"xlate_type":{"type":"text"}
	}
	}
	}
	}'