From 206261fbe6f7da27c141710ed8b491940eddcd50 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 15 Jun 2020 16:55:14 +0000
Subject: [PATCH] rename id to log.id.fuid for X509

---
 salt/elasticsearch/files/ingest/zeek.x509 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509
index 9c4c4aa1d..49a79dbd0 100644
--- a/salt/elasticsearch/files/ingest/zeek.x509
+++ b/salt/elasticsearch/files/ingest/zeek.x509
@@ -3,7 +3,7 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",					"target_field": "message2",				"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.id", 	 			"target_field": "id",					"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.id", 	 			"target_field": "log.id.fuid",					"ignore_missing": true 	} },
     { "dot_expander": 	{ "field": "certificate.version",			"path": "message2", 					"ignore_failure": true 	} },
     { "rename": 	{ "field": "message2.certificate.version", 		"target_field": "x509.certificate.version",			"ignore_missing": true 	} },
     { "dot_expander": 	{ "field": "certificate.serial",			"path": "message2", 					"ignore_failure": true 	} },