From 1bb76bb2514a36b529e16c40988f485e585e3854 Mon Sep 17 00:00:00 2001 From: doug Date: Tue, 29 Nov 2022 07:50:21 -0500 Subject: [PATCH] update zeek s7comm parsers --- salt/elasticsearch/files/ingest/zeek.s7comm | 18 +++++++++--------- .../files/ingest/zeek.s7comm_plus | 10 +++++----- salt/elasticsearch/files/ingest/zeek.wireguard | 10 +++++----- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm b/salt/elasticsearch/files/ingest/zeek.s7comm index 646c6bec3..e9f5e6318 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm +++ b/salt/elasticsearch/files/ingest/zeek.s7comm @@ -1,15 +1,15 @@ { "description" : "zeek.s7comm", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } }, - { "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } }, - { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, - { "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } }, - { "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } }, - { "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } }, - { "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } }, + { "rename": { "field": "message2.rosctr_name", "target_field": "s7.ros.control.name", "ignore_missing": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.function_code", "target_field": "s7.function.code", "ignore_missing": true } }, + { "rename": { "field": "message2.function_name", "target_field": "s7.function.name", "ignore_missing": true } }, + { "rename": { "field": "message2.error_class", "target_field": "s7.error.class", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "s7.error.code", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_plus b/salt/elasticsearch/files/ingest/zeek.s7comm_plus index a6acd1b35..cbb7d5723 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm_plus +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_plus @@ -1,11 +1,11 @@ { "description" : "zeek.s7comm_plus", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } }, - { "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } }, - { "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode", "target_field": "s7.opcode.value", "ignore_missing": true } }, + { "rename": { "field": "message2.opcode_name", "target_field": "s7.opcode.name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.wireguard b/salt/elasticsearch/files/ingest/zeek.wireguard index e8a56bfe0..1df929666 100644 --- a/salt/elasticsearch/files/ingest/zeek.wireguard +++ b/salt/elasticsearch/files/ingest/zeek.wireguard @@ -1,11 +1,11 @@ { "description" : "zeek.wireguard", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } }, - { "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } }, - { "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } }, + { "rename": { "field": "message2.initiations", "target_field": "wireguard.initiations", "ignore_missing": true } }, + { "rename": { "field": "message2.responses", "target_field": "wireguard.responses", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] }