-
-
Notifications
You must be signed in to change notification settings - Fork 28
Example: Asterisk AMI
Lorenzo Mangani edited this page Jul 23, 2021
·
6 revisions
The ami plugin is used to get events from Asterisk AMI.
In this example, we'll correlate security events to SIP sessions
;
; Asterisk Call Management support
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
webenabled = no
; set read level to security
[admin]
secret = admin;
; read options: system, security, call, log, verbose, command, agent, user, all
read = security;
input {
ami {
host => "127.0.0.1"
port => 5038
user => "admin"
pass => "admin"
}
}
filter {
compute_field {
field => correlation_id
value => "#{SessionID}"
}
mustache {
template => '{{Event}} {{LocalAddress}} -> {{RemoteAddress}}: {{AccountID}} (AUTH: {{UsingPassword}})'
target_field => 'payload'
}
}
output {
hep {
host => 127.0.0.1
port => 9060
hep_id => 2022
hep_type => 100
}
}
[STDOUT] {
"Event": "ChallengeSent",
"Privilege": "security,all",
"EventTV": "2017-09-17T20:02:49.331+0000",
"Severity": "Informational",
"Service": "PJSIP",
"EventVersion": "1",
"AccountID": "asterisk1",
"SessionID": "969910647",
"LocalAddress": "IPV4/UDP/167.114.148.48/5060",
"RemoteAddress": "IPV4/UDP/80.101.51.6/61782",
"Challenge": "",
"host": "localhost.localdomain",
"@timestamp": "2017-09-17T20:02:49.374Z",
"@version": "1",
"correlation_id": "969910647",
"payload": "969910647 received localhost.localdomain"
}
[STDOUT] {
"Event": "SuccessfulAuth",
"Privilege": "security,all",
"EventTV": "2017-09-17T20:02:49.430+0000",
"Severity": "Informational",
"Service": "PJSIP",
"EventVersion": "1",
"AccountID": "asterisk1",
"SessionID": "969910647",
"LocalAddress": "IPV4/UDP/167.114.148.48/5060",
"RemoteAddress": "IPV4/UDP/80.101.51.6/61782",
"UsingPassword": "1",
"host": "localhost.localdomain",
"@timestamp": "2017-09-17T20:02:49.473Z",
"@version": "1",
"correlation_id": "969910647",
"payload": "969910647 received localhost.localdomain"
}