From d0edfd213176b75ea7bfe970df4822a7c8ee891e Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 25 Jun 2026 14:18:43 -0400
Subject: [PATCH] set transport for ssl.established:false logs

---
 salt/elasticsearch/files/ingest/zeek.ssl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/elasticsearch/files/ingest/zeek.ssl b/salt/elasticsearch/files/ingest/zeek.ssl
index 0bd6fedb2..80a7b12da 100644
--- a/salt/elasticsearch/files/ingest/zeek.ssl
+++ b/salt/elasticsearch/files/ingest/zeek.ssl
@@ -5,6 +5,7 @@
     { "remove":   { "field": ["host"],     "ignore_failure": true } },
     { "json":             { "field": "message",                 "target_field": "message2",             "ignore_failure": true  } },
     { "rename":         { "field": "message2.version",          "target_field": "ssl.version",          "ignore_missing": true  } },
+    { "set":      { "description": "Set transport for the community_id processor", "if": "ctx.ssl?.version == null || !ctx.ssl.version.startsWith('DTLS')", "field": "network.transport", "value": "tcp", "ignore_failure": true } },
     { "rename":         { "field": "message2.cipher",           "target_field": "ssl.cipher",           "ignore_missing": true  } },
     { "rename":         { "field": "message2.curve",            "target_field": "ssl.curve",            "ignore_missing": true  } },
     { "rename":         { "field": "message2.server_name",      "target_field": "ssl.server_name",              "ignore_missing": true  } },