Nmap codec plugin

For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-codec-nmap. See Working with plugins for more details.

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

This codec is used to parse namp output data which is serialized in XML format. Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. For more information on nmap, see https://nmap.org/.

This codec can only be used for decoding data.

Event types are listed below

nmap_scan_metadata: An object containing top level information about the scan, including how many hosts were up, and how many were down. Useful for the case where you need to check if a DNS based hostname does not resolve, where both those numbers will be zero. nmap_host: One event is created per host. The full data covering an individual host, including open ports and traceroute information as a nested structure. nmap_port: One event is created per host/port. This duplicates data already in nmap_host: This was put in for the case where you want to model ports as separate documents in Elasticsearch (which Kibana prefers). nmap_traceroute_link: One of these is output per traceroute connection, with a from and a to object describing each hop. Note that traceroute hop data is not always correct due to the fact that each tracing ICMP packet may take a different route. Also very useful for Kibana visualizations.