diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 6b6a03a60..8143882c7 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -4,6 +4,7 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.pkt_src", "target_field": "network.packet_source","ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.in_iface", "target_field": "observer.ingress.interface.name", "ignore_failure": true } }, { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/suricata.ike b/salt/elasticsearch/files/ingest/suricata.ike new file mode 100644 index 000000000..890b99baf --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.ike @@ -0,0 +1,21 @@ +{ + "description" : "suricata.ike", + "processors" : [ + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_auth", "target_field": "ike.algorithm.authentication", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_enc", "target_field": "ike.algorithm.encryption", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_esn", "target_field": "ike.algorithm.esn", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_dh", "target_field": "ike.algorithm.dh", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_prf", "target_field": "ike.algorithm.prf", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.exchange_type", "target_field": "ike.exchange_type", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.payload", "target_field": "ike.payload", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.role", "target_field": "ike.role", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.init_spi", "target_field": "ike.spi.initiator", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.resp_spi", "target_field": "ike.spi.responder", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.version_major", "target_field": "ike.version.major", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.version_minor", "target_field": "ike.version.minor", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.ikev2.errors", "target_field": "ike.ikev2.errors", "ignore_missing": true } }, + { "pipeline": { "name": "common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/suricata.ikev2 b/salt/elasticsearch/files/ingest/suricata.ikev2 deleted file mode 100644 index 1916f6369..000000000 --- a/salt/elasticsearch/files/ingest/suricata.ikev2 +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description" : "suricata.ikev2", - "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "pipeline": { "name": "common" } } - ] -}