Community ID processor

edit

Computes the Community ID for network flow data as defined in the Community ID Specification. You can use a community ID to correlate network events related to a single flow.

The community ID processor reads network flow data from related Elastic Common Schema (ECS) fields by default. If you use the ECS, no configuration is required.

Table 8. Community ID Options

Name Required Default Description

source_ip

no

source.ip

Field containing the source IP address.

source_port

no

source.port

Field containing the source port.

destination_ip

no

destination.ip

Field containing the destination IP address.

destination_port

no

destination.port

Field containing the destination port.

iana_number

no

network.iana_number

Field containing the IANA number. The following protocol numbers are currently supported: 1 ICMP, 2 IGMP, 6 TCP, 17 UDP, 47 GRE, 58 ICMP IPv6, 88 EIGRP, 89 OSPF, 103 PIM, and 132 SCTP.

icmp_type

no

icmp.type

Field containing the ICMP type.

icmp_code

no

icmp.code

Field containing the ICMP code.

transport

no

network.transport

Field containing the transport protocol. Used only when the iana_number field is not present.

target_field

no

network.community_id

Output field for the community ID.

seed

no

0

Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme.

ignore_missing

no

true

If true and any required fields are missing, the processor quietly exits without modifying the document.

description

no

-

Description of the processor. Useful for describing the purpose of the processor or its configuration.

if

no

-

Conditionally execute the processor. See Conditionally run a processor.

ignore_failure

no

false

Ignore failures for the processor. See Handling pipeline failures.

on_failure

no

-

Handle failures for the processor. See Handling pipeline failures.

tag

no

-

Identifier for the processor. Useful for debugging and metrics.

Here is an example definition of the community ID processor:

{
  "description" : "...",
  "processors" : [
    {
      "community_id": {
      }
    }
  ]
}

When the above processor executes on the following document:

{
  "_source": {
    "source": {
      "ip": "123.124.125.126",
      "port": 12345
    },
    "destination": {
      "ip": "55.56.57.58",
      "port": 80
    },
    "network": {
      "transport": "TCP"
    }
  }
}

It produces this result:

"_source" : {
  "destination" : {
    "port" : 80,
    "ip" : "55.56.57.58"
  },
  "source" : {
    "port" : 12345,
    "ip" : "123.124.125.126"
  },
  "network" : {
    "community_id" : "1:9qr9Z1LViXcNwtLVOHZ3CL8MlyM=",
    "transport" : "TCP"
  }
}