himanshudas · May 27, 2020 14:53
diff --git a/logstash-grok-pattern-enriched-vpc-flow-logs b/logstash-grok-pattern-enriched-vpc-flow-logs
 # Enriched VPC Flow Log fields
 ${version} ${vpc-id} ${subnet-id} ${instance-id} ${interface-id} ${account-id} ${type} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${pkt-srcaddr} ${pkt-dstaddr} ${protocol} ${bytes} ${packets} ${start} ${end} ${action} ${tcp-flags} ${log-status}

 # https://aws.amazon.com/about-aws/whats-new/2020/05/add-enriched-metadata-to-amazon-vpc-flow-logs-published-to-cloudwatch-logs-and-s3/

 #GROK Pattern
 %{NUMBER:version:int} %{NOTSPACE:vpc-id} %{NOTSPACE:subnet-id} - %{NOTSPACE:interface-id} %{NUMBER:account-id} %{NOTSPACE:type} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NUMBER:srcport:int} %{NUMBER:dstport:int} %{NOTSPACE:srcpktaddr} %{NOTSPACE:dstpktaddr} %{NOTSPACE:protocol} %{NUMBER:bytes:int} %{NUMBER:packets:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:tcpflags} %{NOTSPACE:logstatus}
	# Enriched VPC Flow Log fields
	${version} ${vpc-id} ${subnet-id} ${instance-id} ${interface-id} ${account-id} ${type} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${pkt-srcaddr} ${pkt-dstaddr} ${protocol} ${bytes} ${packets} ${start} ${end} ${action} ${tcp-flags} ${log-status}

	# https://aws.amazon.com/about-aws/whats-new/2020/05/add-enriched-metadata-to-amazon-vpc-flow-logs-published-to-cloudwatch-logs-and-s3/

	#GROK Pattern
	%{NUMBER:version:int} %{NOTSPACE:vpc-id} %{NOTSPACE:subnet-id} - %{NOTSPACE:interface-id} %{NUMBER:account-id} %{NOTSPACE:type} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NUMBER:srcport:int} %{NUMBER:dstport:int} %{NOTSPACE:srcpktaddr} %{NOTSPACE:dstpktaddr} %{NOTSPACE:protocol} %{NUMBER:bytes:int} %{NUMBER:packets:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:tcpflags} %{NOTSPACE:logstatus}