From 56eb220ed6eedfd25e912beffeaf5a00c2f26f1f Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 8 Jun 2021 09:52:05 -0400
Subject: [PATCH] Revert to SO taxonomy for zeek and suricata

---
 salt/filebeat/etc/filebeat.yml           | 77 ++++++++++++++++++++++++
 salt/filebeat/securityoniondefaults.yaml | 20 +-----
 2 files changed, 78 insertions(+), 19 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 46a59f772..f933cee2e 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -111,7 +111,84 @@ filebeat.inputs:
   fields_under_root: true
 
 {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
+  {%- if ZEEKVER != 'SURICATA' %}
+    {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
+- type: log
+  paths:
+    - /nsm/zeek/logs/current/{{ LOGNAME }}.log
+  fields:
+      module: zeek 
+      dataset: {{ LOGNAME }}
+      category: network
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+ 
+  fields_under_root: true
+  clean_removed: true
+  close_removed: false
 
+- type: log
+  paths:
+    - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log
+  fields:
+      module: zeek 
+      dataset: {{ LOGNAME }}
+      category: network
+      imported: true
+  processors:
+  - add_tags:
+      tags: ["import"]
+  - dissect:
+      tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}"
+      field: "log.file.path"
+      target_prefix: ""
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+ 
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+    {%- endfor %}
+  {%- endif %}
+
+- type: log
+  paths:
+    - /nsm/suricata/eve*.json
+  fields:
+    module: suricata
+    dataset: common
+    category: network
+
+  processors:
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+
+- type: log
+  paths:
+    - /nsm/import/*/suricata/eve*.json
+  fields:
+    module: suricata
+    dataset: common
+    category: network
+    imported: true 
+  processors:
+  - add_tags:
+      tags: ["import"]
+  - dissect:
+      tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}"
+      field: "log.file.path"
+      target_prefix: ""
+  - drop_fields:
+      fields: ["source", "prospector", "input", "offset", "beat"]
+
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
   {%- if STRELKAENABLED == 1 %}
 - type: log
   paths:
diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml
index f503e5de1..cd215e242 100644
--- a/salt/filebeat/securityoniondefaults.yaml
+++ b/salt/filebeat/securityoniondefaults.yaml
@@ -23,22 +23,4 @@ securityonion_filebeat:
         var.paths: ["/logs/redis.log"]
       slowlog:
         enabled: false
-    suricata:
-      eve:
-        enabled: true
-        var.paths: ["/nsm/suricata/eve*.json"]
-    {%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor',  'so-helix', 'so-heavynode', 'so-import'] %}
-      {%- if ZEEKVER != 'SURICATA' %}
-    zeek:
-        {%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '')  %}
-          {% if LOGNAME in ZEEKLOGLOOKUP.keys() %}
-            {% set FILESET = ZEEKLOGLOOKUP.get(LOGNAME) %}
-          {% else %}
-            {% set FILESET = LOGNAME %}
-          {% endif %}
-      {{ FILESET }}:
-        enabled: true
-        var.paths: ["/nsm/zeek/logs/current/{{ LOGNAME }}.log"]
-        {%- endfor %}
-      {%- endif %}
-    {%- endif %}
+        
\ No newline at end of file