diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete index 0564ad3c6..fe21daae0 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common POLICY_ID=$1 diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list index 8a9638922..479fdc72d 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common # Let's snag a cookie from Kibana diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view index 6ab6474b0..5f267220b 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common POLICY_ID=$1 diff --git a/salt/common/tools/sbin/so-elastic-fleet-data-streams-list b/salt/common/tools/sbin/so-elastic-fleet-data-streams-list index 9348428e8..238fc8ada 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-data-streams-list +++ b/salt/common/tools/sbin/so-elastic-fleet-data-streams-list @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common # Let's snag a cookie from Kibana diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete new file mode 100644 index 000000000..9c2061cd9 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete @@ -0,0 +1,21 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +POLICY_ID=$1 + +# Let's snag a cookie from Kibana +SESSIONCOOKIE=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + +# Get integration policies relative to agent policy +INTEGRATION_POLICY_IDS=$(curl -q -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq -r '.item.package_policies[].id') + +for i in $INTEGRATION_POLICY_IDS; do + # Delete integration policies + echo "Deleting integration policy: $i..." + curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d"{\"packagePolicyIds\": [\"$i\"], \"force\":true}"; +done diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete index b66b7eca8..a8601028c 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common POLICY_ID=$1 diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list index c73e84174..07d2822fb 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list @@ -1,4 +1,9 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common # Let's snag a cookie from Kibana diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 614fc81b1..f4924aac4 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -1,4 +1,8 @@ #/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. . /usr/sbin/so-common @@ -18,58 +22,47 @@ echo "Setting up default Security Onion package policies for Elastic Agent..." # Set up Suricata logs echo "Setting up Suricata package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "suricata_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "alert", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}' + +# Set up Zeek logs +echo "Setting up Zeek package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek", "custom": "prospector.scanner.exclude_files: [\"(broker | capture_loss | loaded_scripts | packet_filter | stats | stderr | stdout).log$\"]\n" } } } } } }' # Import - Suricata echo "Settings up Suricata import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "alert", "tags": ["import"], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": ["import"], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' -# Zeek logs -{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - {%- if ZEEKVER != 'SURICATA' %} - {% import_yaml 'filebeat/defaults.yaml' as FBD with context %} - {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %} - {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %} - -# Set up Zeek {{ LOGNAME }} logs -echo "Setting up Zeek {{ LOGNAME }} package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-{{ LOGNAME }}", "description": "Zeek {{ LOGNAME }} logs", "namespace": "zeek_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/zeek/logs/current/{{ LOGNAME }}.log" ], "data_stream.dataset": "{{ LOGNAME }}", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: zeek", "custom": "pipeline: zeek.{{ LOGNAME }}" }}}}}}' -echo - -echo "Setting up Zeek import {{ LOGNAME }} package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-zeek-{{ LOGNAME }}-logs", "name": "import-zeek-{{ LOGNAME }}-logs", "description": "Import Zeek {{ LOGNAME }} logs", "namespace": "import_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/{{ LOGNAME }}.log"], "data_stream.dataset": "{{ LOGNAME }}", "tags": ["import"], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true", "custom": "pipeline: zeek.{{ LOGNAME }}" } } } } } }' - - {%- endfor %} - {%- endif %} -{%- endif %} +# Set Import - Zeek logs +echo "Setting up Zeek Import package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true", "custom": "prospector.scanner.exclude_files: [\"(broker | capture_loss | loaded_scripts | packet_filter | stats | stderr | stdout).log$\"]" } } } } } }' # Strelka logs echo "Setting up Strelka package policy" -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "strelka_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' # Syslog TCP Port 514 echo "Setting up Syslog TCP package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "syslog_so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n target: event\n fields:\n module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "tcp", "version": "1.5.0" }, "id": "syslog-tcp-514", "name": "syslog-tcp-514", "description": "Syslog Over TCP Port 514", "namespace": "so", "inputs": { "tcp-tcp": { "enabled": true, "streams": { "tcp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "processors": "- add_fields:\n target: event\n fields:\n module: syslog", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' # Syslog UDP Port 514 echo "Setting up Syslog UDP package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "syslog_so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "udp", "version": "1.5.0" }, "id": "syslog-udp-514", "name": "syslog-udp-514", "description": "Syslog over UDP Port 514", "namespace": "so", "inputs": { "udp-udp": { "enabled": true, "streams": { "udp.generic": { "enabled": true, "vars": { "listen_address": "0.0.0.0", "listen_port": "514", "data_stream.dataset": "syslog", "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", "tags": [ "syslog" ], "syslog_options": "field: message\n#format: auto\n#timezone: Local" } } } } } }' # Kratos logs echo "Setting up Kratos package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "kratos_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "access", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "access", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}' # RITA Beacon logs echo "Setting up RITA Beacon package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-beacon-logs", "name": "rita-beacon-logs", "description": "RITA Beacon logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv" ], "data_stream.dataset": "beacon", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.beacon" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-beacon-logs", "name": "rita-beacon-logs", "description": "RITA Beacon logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/beacons.csv" ], "data_stream.dataset": "beacon", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.beacon" }}}}}}' # RITA Connection Logs echo "Setting up RITA connection package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-connection-logs", "name": "rita-connection-logs", "description": "RITA Connection logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/long-connections.csv" ], "data_stream.dataset": "connections", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.connections" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-connection-logs", "name": "rita-connection-logs", "description": "RITA Connection logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/long-connections.csv" ], "data_stream.dataset": "connections", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.connections" }}}}}}' # RITA DNS Logs echo "Setting up RITA DNS package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-exploded-dns-logs", "name": "rita-exploded-dns-logs", "description": "RITA Exploded DNS logs", "namespace": "rita_so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "exploded_dns", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.dns" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "rita-exploded-dns-logs", "name": "rita-exploded-dns-logs", "description": "RITA Exploded DNS logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/rita/exploded-dns.csv" ], "data_stream.dataset": "exploded_dns", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: rita", "custom": "pipeline: rita.dns" }}}}}}' # Elasticsearch logs curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "elasticsearch", "version": "1.0.0" }, "id": "elasticsearch-logs", "name": "elasticsearch-logs", "description": "Elasticsearch Logs", "namespace": "default", "inputs": { "elasticsearch-logfile": { "enabled": true, "streams": { "elasticsearch.audit": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_audit.json" ] } }, "elasticsearch.deprecation": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_deprecation.json" ] } }, "elasticsearch.gc": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/gc.log.[0-9]*", "/var/log/elasticsearch/gc.log" ] } }, "elasticsearch.server": { "enabled": true, "vars": { "paths": [ "/opt/so/log/elasticsearch/*.log" ] } }, "elasticsearch.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_index_search_slowlog.json", "/var/log/elasticsearch/*_index_indexing_slowlog.json" ] } } } }, "elasticsearch-elasticsearch/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9200" ], "scope": "node" }, "streams": { "elasticsearch.stack_monitoring.ccr": { "enabled": false }, "elasticsearch.stack_monitoring.cluster_stats": { "enabled": false }, "elasticsearch.stack_monitoring.enrich": { "enabled": false }, "elasticsearch.stack_monitoring.index": { "enabled": false }, "elasticsearch.stack_monitoring.index_recovery": { "enabled": false, "vars": { "active.only": true } }, "elasticsearch.stack_monitoring.index_summary": { "enabled": false }, "elasticsearch.stack_monitoring.ml_job": { "enabled": false }, "elasticsearch.stack_monitoring.node": { "enabled": false }, "elasticsearch.stack_monitoring.node_stats": { "enabled": false }, "elasticsearch.stack_monitoring.pending_tasks": { "enabled": false }, "elasticsearch.stack_monitoring.shard": { "enabled": false } } } } }' @@ -82,3 +75,4 @@ curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POS # Redis logs curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }' + diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index ff96d139b..11b445c62 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1165,7 +1165,7 @@ elasticsearch: index_template: data_stream: {} index_patterns: - - logs-*_so + - logs-*-so* template: mappings: dynamic_templates: @@ -1418,7 +1418,7 @@ elasticsearch: index_sorting: False index_template: index_patterns: - - so-elasticsearch* + - logs-elasticsearch-default* template: mappings: dynamic_templates: @@ -2171,7 +2171,7 @@ elasticsearch: index_template: data_stream: {} index_patterns: - - logs-*-suricata_so + - logs-suricata-so* template: mappings: dynamic_templates: @@ -2339,7 +2339,7 @@ elasticsearch: index_template: data_stream: {} index_patterns: - - logs-*-import_so + - logs-import-so* template: mappings: dynamic_templates: @@ -2678,7 +2678,7 @@ elasticsearch: index_sorting: False index_template: index_patterns: - - logs-*-kratos_so + - logs-kratos-so* template: mappings: dynamic_templates: @@ -2755,7 +2755,7 @@ elasticsearch: index_sorting: False index_template: index_patterns: - - so-logstash* + - logs-logstash-default* template: mappings: dynamic_templates: @@ -3676,7 +3676,7 @@ elasticsearch: index_sorting: False index_template: index_patterns: - - so-redis* + - logs-redis-default* template: mappings: dynamic_templates: @@ -4178,7 +4178,7 @@ elasticsearch: index_template: data_stream: {} index_patterns: - - logs-*-strelka_so + - logs-strelka-so* template: mappings: dynamic_templates: @@ -4263,7 +4263,7 @@ elasticsearch: index_sorting: False index_template: index_patterns: - - so-syslog* + - logs-syslog-so* template: mappings: dynamic_templates: @@ -4432,7 +4432,7 @@ elasticsearch: index_template: data_stream: {} index_patterns: - - logs-*-zeek_so + - logs-zeek-so* template: mappings: dynamic_templates: diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index a8be6d46b..6e956d196 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -9,12 +9,11 @@ { "rename":{ "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, { "rename":{ "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "remove":{ "field": "dataset", "ignore_failure": true } }, - { "rename":{ "field": "message2.event_type", "target_field": "dataset", "ignore_failure": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, { "remove":{ "field": "agent", "ignore_failure": true } }, - { "pipeline": { "if": "ctx?.dataset != null", "name": "suricata.{{dataset}}" } } + { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet b/salt/elasticsearch/files/ingest/zeek.bacnet index a96a05b56..08e89d7a3 100644 --- a/salt/elasticsearch/files/ingest/zeek.bacnet +++ b/salt/elasticsearch/files/ingest/zeek.bacnet @@ -1,6 +1,7 @@ { "description" : "zeek.bacnet", "processors" : [ + { "set": { "field": "event.dataset", "value": "bacnet" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery index c51cbf5c1..f848e683a 100644 --- a/salt/elasticsearch/files/ingest/zeek.bacnet_discovery +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_discovery @@ -1,6 +1,7 @@ { "description" : "zeek.bacnet_discovery", "processors" : [ + { "set": { "field": "event.dataset", "value": "bacnet_discovery" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet_property b/salt/elasticsearch/files/ingest/zeek.bacnet_property index d04c4c327..80e23652f 100644 --- a/salt/elasticsearch/files/ingest/zeek.bacnet_property +++ b/salt/elasticsearch/files/ingest/zeek.bacnet_property @@ -1,6 +1,7 @@ { "description" : "zeek.bacnet_property", "processors" : [ + { "set": { "field": "event.dataset", "value": "bacnet_property" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "bacnet.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header index b92d7f233..965d642df 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_header +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_header @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_ip_header", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_ip_header" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.num_msg", "target_field": "bsap.number.messages", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb index f5ebd3a0a..aade31c21 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_ip_rdb", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_ip_rdb" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.header_size", "target_field": "bsap.header.length", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown index 15d9a8fd9..d561c90b0 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown +++ b/salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_ip_unknown", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_ip_unknown" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.data", "target_field": "bsap.ip.unknown.data", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header index b4b499ff1..2cfcd7ecf 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_header +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_header @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_serial_header", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_serial_header" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.ser", "target_field": "bsap.message.serial_number", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb index f45d8c0cd..8e7f07802 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_serial_rdb", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_serial_rdb" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.func_code", "target_field": "bsap.rdb.function", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext index 2ca85ad78..110095b59 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_serial_rdb_ext", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_serial_rdb_ext" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.dfun", "target_field": "bsap.destination.function", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown index ea0c5e471..bb30c5940 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown @@ -1,6 +1,7 @@ { "description" : "zeek.bsap_serial_unknown", "processors" : [ + { "set": { "field": "event.dataset", "value": "bsap_serial_unknown" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.data", "target_field": "bsap.serial.unknown.data", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip index 5182a7037..a704c2b28 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -1,6 +1,7 @@ { "description" : "zeek.cip", "processors" : [ + { "set": { "field": "event.dataset", "value": "cip" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.cip_identity b/salt/elasticsearch/files/ingest/zeek.cip_identity index a3522f86a..e36678f66 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip_identity +++ b/salt/elasticsearch/files/ingest/zeek.cip_identity @@ -1,6 +1,7 @@ { "description" : "zeek.cip_identity", "processors" : [ + { "set": { "field": "event.dataset", "value": "cip_identity" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.encapsulation_version", "target_field": "cip.encapsulation.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io index 68c376b05..f41c3f431 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip_io +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -1,6 +1,7 @@ { "description" : "zeek.cip_io", "processors" : [ + { "set": { "field": "event.dataset", "value": "cip_io" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 14689f782..73ce29c1d 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -1,6 +1,7 @@ { "description" : "zeek.conn", "processors" : [ + { "set": { "field": "event.dataset", "value": "conn" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.cotp b/salt/elasticsearch/files/ingest/zeek.cotp index fb4b090cd..f5abd87f6 100644 --- a/salt/elasticsearch/files/ingest/zeek.cotp +++ b/salt/elasticsearch/files/ingest/zeek.cotp @@ -1,6 +1,7 @@ { "description" : "zeek.cotp", "processors" : [ + { "set": { "field": "event.dataset", "value": "cotp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.pdu_code", "target_field": "cotp.pdu.code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dce_rpc b/salt/elasticsearch/files/ingest/zeek.dce_rpc index 247946073..0f6ae6d67 100644 --- a/salt/elasticsearch/files/ingest/zeek.dce_rpc +++ b/salt/elasticsearch/files/ingest/zeek.dce_rpc @@ -1,6 +1,7 @@ { "description" : "zeek.dce_rpc", "processors" : [ + { "set": { "field": "event.dataset", "value": "dce_rpc" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dhcp b/salt/elasticsearch/files/ingest/zeek.dhcp index f3a551edd..d2d151847 100644 --- a/salt/elasticsearch/files/ingest/zeek.dhcp +++ b/salt/elasticsearch/files/ingest/zeek.dhcp @@ -1,6 +1,7 @@ { "description" : "zeek.dhcp", "processors" : [ + { "set": { "field": "event.dataset", "value": "dhcp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uids", "target_field": "log.id.uids", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3 b/salt/elasticsearch/files/ingest/zeek.dnp3 index 6618289f8..e8011463b 100644 --- a/salt/elasticsearch/files/ingest/zeek.dnp3 +++ b/salt/elasticsearch/files/ingest/zeek.dnp3 @@ -1,6 +1,7 @@ { "description" : "zeek.dnp3", "processors" : [ + { "set": { "field": "event.dataset", "value": "dnp3" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fc_request", "target_field": "dnp3.fc_request", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_control b/salt/elasticsearch/files/ingest/zeek.dnp3_control index 0c465b5d2..e6a3a106c 100644 --- a/salt/elasticsearch/files/ingest/zeek.dnp3_control +++ b/salt/elasticsearch/files/ingest/zeek.dnp3_control @@ -1,6 +1,7 @@ { "description" : "zeek.dnp3_control", "processors" : [ + { "set": { "field": "event.dataset", "value": "dnp3_control" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.block_type", "target_field": "dnp3.block_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3_objects b/salt/elasticsearch/files/ingest/zeek.dnp3_objects index c78ae9e1f..bdce7e8d1 100644 --- a/salt/elasticsearch/files/ingest/zeek.dnp3_objects +++ b/salt/elasticsearch/files/ingest/zeek.dnp3_objects @@ -1,6 +1,7 @@ { "description" : "zeek.dnp3_objects", "processors" : [ + { "set": { "field": "event.dataset", "value": "dnp3_objects" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.function_code", "target_field": "dnp3.function_code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 9d7f7e93b..5f39b8017 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -1,6 +1,7 @@ { "description" : "zeek.dns", "processors" : [ + { "set": { "field": "event.dataset", "value": "dns" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.dpd b/salt/elasticsearch/files/ingest/zeek.dpd index 59ceed368..2f76c5ecb 100644 --- a/salt/elasticsearch/files/ingest/zeek.dpd +++ b/salt/elasticsearch/files/ingest/zeek.dpd @@ -1,6 +1,7 @@ { "description" : "zeek.dpd", "processors" : [ + { "set": { "field": "event.dataset", "value": "dpd" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info index c5f9b9dc3..e9c056666 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_aoe_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_aoe_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_aoe_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.targetid", "target_field": "destination.mac", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info index cbc3676ab..750217dd3 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_arp_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_arp_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_arp_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_arp_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.arp_type", "target_field": "ecat.arp.type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info index e425e3173..8571ece05 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_coe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_coe_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_coe_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_coe_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.number", "target_field": "ecat.message.number", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info index d01289e9a..165c04134 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_dev_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_dev_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_dev_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_dev_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.slave_id", "target_field": "ecat.slave.address", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info index 6655f2cb7..810435827 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_foe_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_foe_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_log_address b/salt/elasticsearch/files/ingest/zeek.ecat_log_address index ad0ee161f..c3f15ca29 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_log_address +++ b/salt/elasticsearch/files/ingest/zeek.ecat_log_address @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_log_address", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_log_address" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_registers b/salt/elasticsearch/files/ingest/zeek.ecat_registers index d0a11ba83..363a71918 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_registers +++ b/salt/elasticsearch/files/ingest/zeek.ecat_registers @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_registers", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_registers" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.srcmac", "target_field": "source.mac", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info index bddc40efa..5785348bb 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_soe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_soe_info @@ -1,6 +1,7 @@ { "description" : "zeek.ecat_soe_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "ecat_soe_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.enip b/salt/elasticsearch/files/ingest/zeek.enip index fee3b058b..443a72f9a 100644 --- a/salt/elasticsearch/files/ingest/zeek.enip +++ b/salt/elasticsearch/files/ingest/zeek.enip @@ -1,6 +1,7 @@ { "description" : "zeek.enip", "processors" : [ + { "set": { "field": "event.dataset", "value": "enip" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "enip.is_orig", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index c5fefa85f..105bbd326 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -1,6 +1,7 @@ { "description" : "zeek.files", "processors" : [ + { "set": { "field": "event.dataset", "value": "files" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ftp b/salt/elasticsearch/files/ingest/zeek.ftp index 45aa76055..3767c7b10 100644 --- a/salt/elasticsearch/files/ingest/zeek.ftp +++ b/salt/elasticsearch/files/ingest/zeek.ftp @@ -1,6 +1,7 @@ { "description" : "zeek.ftp", "processors" : [ + { "set": { "field": "event.dataset", "value": "ftp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user", "target_field": "ftp.user", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.http b/salt/elasticsearch/files/ingest/zeek.http index 3368e45e1..2224da2f7 100644 --- a/salt/elasticsearch/files/ingest/zeek.http +++ b/salt/elasticsearch/files/ingest/zeek.http @@ -1,6 +1,7 @@ { "description" : "zeek.http", "processors" : [ + { "set": { "field": "event.dataset", "value": "http" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.intel b/salt/elasticsearch/files/ingest/zeek.intel index 8be25c9ef..f3553ebd3 100644 --- a/salt/elasticsearch/files/ingest/zeek.intel +++ b/salt/elasticsearch/files/ingest/zeek.intel @@ -1,6 +1,7 @@ { "description" : "zeek.intel", "processors" : [ + { "set": { "field": "event.dataset", "value": "intel" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.irc b/salt/elasticsearch/files/ingest/zeek.irc index 3d40d7f80..e21f36553 100644 --- a/salt/elasticsearch/files/ingest/zeek.irc +++ b/salt/elasticsearch/files/ingest/zeek.irc @@ -1,6 +1,7 @@ { "description" : "zeek.irc", "processors" : [ + { "set": { "field": "event.dataset", "value": "irc" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.nick", "target_field": "irc.nickname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos index 0b09ebf61..f8aec42ec 100644 --- a/salt/elasticsearch/files/ingest/zeek.kerberos +++ b/salt/elasticsearch/files/ingest/zeek.kerberos @@ -1,6 +1,7 @@ { "description" : "zeek.kerberos", "processors" : [ + { "set": { "field": "event.dataset", "value": "kerberos" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.request_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.modbus b/salt/elasticsearch/files/ingest/zeek.modbus index a9dd91430..92d012862 100644 --- a/salt/elasticsearch/files/ingest/zeek.modbus +++ b/salt/elasticsearch/files/ingest/zeek.modbus @@ -1,6 +1,7 @@ { "description" : "zeek.modbus", "processors" : [ + { "set": { "field": "event.dataset", "value": "modbus" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_detailed b/salt/elasticsearch/files/ingest/zeek.modbus_detailed index 635566c6a..f5bdf8200 100644 --- a/salt/elasticsearch/files/ingest/zeek.modbus_detailed +++ b/salt/elasticsearch/files/ingest/zeek.modbus_detailed @@ -1,6 +1,7 @@ { "description" : "zeek.modbus_detailed", "processors" : [ + { "set": { "field": "event.dataset", "value": "modbus_detailed" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register index d548fe615..9e4a0b21b 100644 --- a/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register +++ b/salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register @@ -1,6 +1,7 @@ { "description" : "zeek.modbus_mask_write_register", "processors" : [ + { "set": { "field": "event.dataset", "value": "modbus_mask_write_register" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers index 234faa34f..2c7bf04b4 100644 --- a/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers +++ b/salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers @@ -1,6 +1,7 @@ { "description" : "zeek.read_write_multiple_registers", "processors" : [ + { "set": { "field": "event.dataset", "value": "modbus_read_write_multiple_registers" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.unit_id", "target_field": "modbus.unit_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.mysql b/salt/elasticsearch/files/ingest/zeek.mysql index e950d5f64..3e57e2a29 100644 --- a/salt/elasticsearch/files/ingest/zeek.mysql +++ b/salt/elasticsearch/files/ingest/zeek.mysql @@ -1,6 +1,7 @@ { "description" : "zeek.mysql", "processors" : [ + { "set": { "field": "event.dataset", "value": "mysql" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.cmd", "target_field": "mysql.command", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.notice b/salt/elasticsearch/files/ingest/zeek.notice index b662393f6..8e086ad05 100644 --- a/salt/elasticsearch/files/ingest/zeek.notice +++ b/salt/elasticsearch/files/ingest/zeek.notice @@ -1,6 +1,7 @@ { "description" : "zeek.notice", "processors" : [ + { "set": { "field": "event.dataset", "value": "notice" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ntlm b/salt/elasticsearch/files/ingest/zeek.ntlm index c8f2e37c0..a7d0cf782 100644 --- a/salt/elasticsearch/files/ingest/zeek.ntlm +++ b/salt/elasticsearch/files/ingest/zeek.ntlm @@ -1,6 +1,7 @@ { "description" : "zeek.ntlm", "processors" : [ + { "set": { "field": "event.dataset", "value": "ntlm" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.hostname", "target_field": "host.name", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index 37a9cdf1a..acb2e1b6b 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session index 81f8e9392..00e3aa447 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_activate_session", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert index fe6f577eb..5f4f3d42d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_activate_session_client_software_cert", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_client_software_cert" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info index 283d1c78e..5363fe73d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_activate_session_diagnostic_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_diagnostic_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id index 08d8a672e..353047101 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_activate_session_locale_id", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_activate_session_locale_id" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index 8c4d919cd..6bb11c636 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description index f1439f192..df35dff9b 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse_description", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse_description" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info index 43560f4f0..71060bb6b 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse_diagnostic_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse_diagnostic_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point index ce971109b..48e68edad 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse_request_continuation_point", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse_request_continuation_point" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references index 960a0a939..ccfff9911 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse_response_references", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse_response_references" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result index d9eabbd87..9d47076fd 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_browse_result", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_browse_result" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session index d7e0d3d87..d2e490f1f 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_create_session", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_create_session" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery index cf9a56135..7a7753e45 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_create_session_discovery", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_discovery" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index 0511211d5..c1e599c1e 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_create_session_endpoints", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_endpoints" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token index b86ec066d..169479a48 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_create_session_user_token", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_create_session_user_token" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription index 832ac75b1..c282f9393 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_create_subscription", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_create_subscription" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail index 170c35be0..9d6d63896 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_diag_info_detail", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_diag_info_detail" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints index 51f9349fc..90de3e82f 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index b467196de..de9c9b0bc 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints_description", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_description" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery index eeaf91dcb..4e9f964cf 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints_discovery", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_discovery" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id index 3716b3bb5..ea592e19e 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints_locale_id", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_locale_id" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri index 65309e588..39a9ef49a 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints_profile_uri", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_profile_uri" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token index 33a3687cc..30d160c9c 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_get_endpoints_user_token", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_get_endpoints_user_token" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel index 59c41206d..df91874f5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_opensecure_channel", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_opensecure_channel" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read index 9eee12ff7..07a9134e7 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims index a0955f534..661a4b49a 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_array_dims", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link index 94644246f..436aa65d5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_array_dims_link", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_array_dims_link" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info index 64376bd08..738c39e03 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_diagnostic_info", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_diagnostic_info" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object index 8ef46251b..b5f76e80b 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_extension_object", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link index 0aae27ca1..463fbdeb5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_extension_object_link", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_extension_object_link" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read index 39c0c25b1..71263a3be 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_nodes_to_read", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_nodes_to_read" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results index 49d14d404..d049c851b 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_results", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_results" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link index 75245d212..a854b1f2f 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_results_link", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_results_link" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code index d3b6ece54..5c34f9b61 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_status_code", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_status_code" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data index d77404bc5..725efaf07 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_variant_data", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_variant_data" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link index 8585789ff..caad459ed 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_read_variant_data_link", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_read_variant_data_link" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index e1bff04a4..2a410da2d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -1,6 +1,7 @@ { "description" : "zeek.opcua_binary_status_code_detail", "processors" : [ + { "set": { "field": "event.dataset", "value": "opcua_binary_status_code_detail" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.pe b/salt/elasticsearch/files/ingest/zeek.pe index 84f833742..e3bcd678f 100644 --- a/salt/elasticsearch/files/ingest/zeek.pe +++ b/salt/elasticsearch/files/ingest/zeek.pe @@ -1,6 +1,7 @@ { "description" : "zeek.pe", "processors" : [ + { "set": { "field": "event.dataset", "value": "pe" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.profinet b/salt/elasticsearch/files/ingest/zeek.profinet index e9d69c0dc..ca34a305c 100644 --- a/salt/elasticsearch/files/ingest/zeek.profinet +++ b/salt/elasticsearch/files/ingest/zeek.profinet @@ -1,6 +1,7 @@ { "description" : "zeek.profinet", "processors" : [ + { "set": { "field": "event.dataset", "value": "profinet" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.operation_type", "target_field": "profinet.operation_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc index e89fd7d95..c3e200630 100644 --- a/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc +++ b/salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc @@ -1,6 +1,7 @@ { "description" : "zeek.profinet_dce_rpc", "processors" : [ + { "set": { "field": "event.dataset", "value": "profinet_dce_rpc" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.version", "target_field": "profinet.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.radius b/salt/elasticsearch/files/ingest/zeek.radius index 715f41478..3b25dd32b 100644 --- a/salt/elasticsearch/files/ingest/zeek.radius +++ b/salt/elasticsearch/files/ingest/zeek.radius @@ -1,6 +1,7 @@ { "description" : "zeek.radius", "processors" : [ + { "set": { "field": "event.dataset", "value": "radius" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.username", "target_field": "user.name", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.rdp b/salt/elasticsearch/files/ingest/zeek.rdp index ce792f32a..a5aea03f1 100644 --- a/salt/elasticsearch/files/ingest/zeek.rdp +++ b/salt/elasticsearch/files/ingest/zeek.rdp @@ -1,6 +1,7 @@ { "description" : "zeek.rdp", "processors" : [ + { "set": { "field": "event.dataset", "value": "rdp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.cookie", "target_field": "rdp.cookie", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.rfb b/salt/elasticsearch/files/ingest/zeek.rfb index fc0653d45..c566827c8 100644 --- a/salt/elasticsearch/files/ingest/zeek.rfb +++ b/salt/elasticsearch/files/ingest/zeek.rfb @@ -1,6 +1,7 @@ { "description" : "zeek.rfb", "processors" : [ + { "set": { "field": "event.dataset", "value": "rfb" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.client_major_version", "target_field": "rfb.client_major_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm b/salt/elasticsearch/files/ingest/zeek.s7comm index e9f5e6318..0af7ee935 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm +++ b/salt/elasticsearch/files/ingest/zeek.s7comm @@ -1,6 +1,7 @@ { "description" : "zeek.s7comm", "processors" : [ + { "set": { "field": "event.dataset", "value": "s7comm" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.rosctr_code", "target_field": "s7.ros.control.code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_plus b/salt/elasticsearch/files/ingest/zeek.s7comm_plus index cbb7d5723..e37603752 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm_plus +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_plus @@ -1,6 +1,7 @@ { "description" : "zeek.s7comm_plus", "processors" : [ + { "set": { "field": "event.dataset", "value": "s7comm_plus" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version", "target_field": "s7.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl index c044c08a5..55571584a 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl @@ -1,6 +1,7 @@ { "description" : "zeek.s7comm_read_szl", "processors" : [ + { "set": { "field": "event.dataset", "value": "s7comm_read_szl" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download b/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download index 51d8ca03f..83f773f0a 100644 --- a/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_upload_download @@ -1,6 +1,7 @@ { "description" : "zeek.s7comm_upload_download", "processors" : [ + { "set": { "field": "event.dataset", "value": "s7comm_upload_download" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.rosctr", "target_field": "s7.ros.control.name", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.signatures b/salt/elasticsearch/files/ingest/zeek.signatures index 2a5f23ec7..00381660e 100644 --- a/salt/elasticsearch/files/ingest/zeek.signatures +++ b/salt/elasticsearch/files/ingest/zeek.signatures @@ -1,6 +1,7 @@ { "description" : "zeek.signatures", "processors" : [ + { "set": { "field": "event.dataset", "value": "signatures" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.sip b/salt/elasticsearch/files/ingest/zeek.sip index 5a8627878..a520f5bcb 100644 --- a/salt/elasticsearch/files/ingest/zeek.sip +++ b/salt/elasticsearch/files/ingest/zeek.sip @@ -1,6 +1,7 @@ { "description" : "zeek.sip", "processors" : [ + { "set": { "field": "event.dataset", "value": "sip" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "sip.transaction.depth", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.smb_files b/salt/elasticsearch/files/ingest/zeek.smb_files index da78953fe..192c6f766 100644 --- a/salt/elasticsearch/files/ingest/zeek.smb_files +++ b/salt/elasticsearch/files/ingest/zeek.smb_files @@ -1,6 +1,7 @@ { "description" : "zeek.smb_files", "processors" : [ + { "set": { "field": "event.dataset", "value": "smb_files" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.smb_mapping b/salt/elasticsearch/files/ingest/zeek.smb_mapping index 637ff414f..5c6d8bb89 100644 --- a/salt/elasticsearch/files/ingest/zeek.smb_mapping +++ b/salt/elasticsearch/files/ingest/zeek.smb_mapping @@ -1,6 +1,7 @@ { "description" : "zeek.smb_mapping", "processors" : [ + { "set": { "field": "event.dataset", "value": "smb_mapping" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.path", "target_field": "smb.path", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.smtp b/salt/elasticsearch/files/ingest/zeek.smtp index 9bfb1e3e1..e671cce4c 100644 --- a/salt/elasticsearch/files/ingest/zeek.smtp +++ b/salt/elasticsearch/files/ingest/zeek.smtp @@ -1,6 +1,7 @@ { "description" : "zeek.smtp", "processors" : [ + { "set": { "field": "event.dataset", "value": "smtp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "remove": { "field": "path", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.snmp b/salt/elasticsearch/files/ingest/zeek.snmp index 664bc4112..6ee65f776 100644 --- a/salt/elasticsearch/files/ingest/zeek.snmp +++ b/salt/elasticsearch/files/ingest/zeek.snmp @@ -1,6 +1,7 @@ { "description" : "zeek.snmp", "processors" : [ + { "set": { "field": "event.dataset", "value": "snmp" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.socks b/salt/elasticsearch/files/ingest/zeek.socks index 6ccfa0d1a..24357c85b 100644 --- a/salt/elasticsearch/files/ingest/zeek.socks +++ b/salt/elasticsearch/files/ingest/zeek.socks @@ -1,6 +1,7 @@ { "description" : "zeek.socks", "processors" : [ + { "set": { "field": "event.dataset", "value": "socks" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version", "target_field": "socks.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.software b/salt/elasticsearch/files/ingest/zeek.software index 16a2ae1f1..f5d3d1013 100644 --- a/salt/elasticsearch/files/ingest/zeek.software +++ b/salt/elasticsearch/files/ingest/zeek.software @@ -1,6 +1,7 @@ { "description" : "zeek.software", "processors" : [ + { "set": { "field": "event.dataset", "value": "software" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "version.major", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ssh b/salt/elasticsearch/files/ingest/zeek.ssh index 03a9abc15..cffcd854f 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssh +++ b/salt/elasticsearch/files/ingest/zeek.ssh @@ -1,6 +1,7 @@ { "description" : "zeek.ssh", "processors" : [ + { "set": { "field": "event.dataset", "value": "ssh" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version", "target_field": "ssh.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.ssl b/salt/elasticsearch/files/ingest/zeek.ssl index e51fd4591..8ae7c8728 100644 --- a/salt/elasticsearch/files/ingest/zeek.ssl +++ b/salt/elasticsearch/files/ingest/zeek.ssl @@ -1,6 +1,7 @@ { "description" : "zeek.ssl", "processors" : [ + { "set": { "field": "event.dataset", "value": "ssl" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.stun b/salt/elasticsearch/files/ingest/zeek.stun index 48f648d74..322c1030a 100644 --- a/salt/elasticsearch/files/ingest/zeek.stun +++ b/salt/elasticsearch/files/ingest/zeek.stun @@ -1,6 +1,7 @@ { "description" : "zeek.stun", "processors" : [ + { "set": { "field": "event.dataset", "value": "stun" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.stun_nat b/salt/elasticsearch/files/ingest/zeek.stun_nat index 45f9b3055..3ba4f7840 100644 --- a/salt/elasticsearch/files/ingest/zeek.stun_nat +++ b/salt/elasticsearch/files/ingest/zeek.stun_nat @@ -1,6 +1,7 @@ { "description" : "zeek.stun_nat", "processors" : [ + { "set": { "field": "event.dataset", "value": "stun_nat" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.syslog b/salt/elasticsearch/files/ingest/zeek.syslog index 5bdbd9736..4d58430a3 100644 --- a/salt/elasticsearch/files/ingest/zeek.syslog +++ b/salt/elasticsearch/files/ingest/zeek.syslog @@ -1,6 +1,7 @@ { "description" : "zeek.syslog", "processors" : [ + { "set": { "field": "event.dataset", "value": "syslog" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.tds b/salt/elasticsearch/files/ingest/zeek.tds index 43c2cad18..9ad7b60bb 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds +++ b/salt/elasticsearch/files/ingest/zeek.tds @@ -1,6 +1,7 @@ { "description" : "zeek.tds", "processors" : [ + { "set": { "field": "event.dataset", "value": "tds" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.tds_rpc b/salt/elasticsearch/files/ingest/zeek.tds_rpc index 75a73c6ba..2915653c3 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds_rpc +++ b/salt/elasticsearch/files/ingest/zeek.tds_rpc @@ -1,6 +1,7 @@ { "description" : "zeek.tds_rpc", "processors" : [ + { "set": { "field": "event.dataset", "value": "tds_rpc" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch index 560cd1ef3..70f3ef755 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch +++ b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch @@ -1,6 +1,7 @@ { "description" : "zeek.tds_sql_batch", "processors" : [ + { "set": { "field": "event.dataset", "value": "tds_sql_batch" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.tunnel b/salt/elasticsearch/files/ingest/zeek.tunnel index 66250091e..76b1ca745 100644 --- a/salt/elasticsearch/files/ingest/zeek.tunnel +++ b/salt/elasticsearch/files/ingest/zeek.tunnel @@ -1,6 +1,7 @@ { "description" : "zeek.tunnel", "processors" : [ + { "set": { "field": "event.dataset", "value": "tunnel" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "pipeline": { "name": "zeek.tunnels" } } ] diff --git a/salt/elasticsearch/files/ingest/zeek.tunnels b/salt/elasticsearch/files/ingest/zeek.tunnels index bb4c18268..84fddcda1 100644 --- a/salt/elasticsearch/files/ingest/zeek.tunnels +++ b/salt/elasticsearch/files/ingest/zeek.tunnels @@ -1,6 +1,7 @@ { "description" : "zeek.tunnels", "processors" : [ + { "set": { "field": "event.dataset", "value": "tunnels" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel.type", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.weird b/salt/elasticsearch/files/ingest/zeek.weird index 2665bbb33..deb5e8058 100644 --- a/salt/elasticsearch/files/ingest/zeek.weird +++ b/salt/elasticsearch/files/ingest/zeek.weird @@ -1,6 +1,7 @@ { "description" : "zeek.weird", "processors" : [ + { "set": { "field": "event.dataset", "value": "weird" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.name", "target_field": "weird.name", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.wireguard b/salt/elasticsearch/files/ingest/zeek.wireguard index 1df929666..26ee0e0a3 100644 --- a/salt/elasticsearch/files/ingest/zeek.wireguard +++ b/salt/elasticsearch/files/ingest/zeek.wireguard @@ -1,6 +1,7 @@ { "description" : "zeek.wireguard", "processors" : [ + { "set": { "field": "event.dataset", "value": "wireguard" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.established", "target_field": "wireguard.established", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509 index 49a79dbd0..640ea81e3 100644 --- a/salt/elasticsearch/files/ingest/zeek.x509 +++ b/salt/elasticsearch/files/ingest/zeek.x509 @@ -1,6 +1,7 @@ { "description" : "zeek.x509", "processors" : [ + { "set": { "field": "event.dataset", "value": "x509" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, diff --git a/salt/mysql/etc/my.cnf b/salt/mysql/etc/my.cnf index e37f690dc..243cc4c51 100644 --- a/salt/mysql/etc/my.cnf +++ b/salt/mysql/etc/my.cnf @@ -29,3 +29,6 @@ symbolic-links=0 log-error=/var/log/mysql/mysqld.log pid-file=/var/run/mysqld/mysqld.pid + +# Switch back to the native password module so that playbook can connect +default_authentication_plugin=mysql_native_password \ No newline at end of file diff --git a/setup/so-verify b/setup/so-verify index 685e50d81..77cdf7c8e 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -17,7 +17,7 @@ using_iso() { if [ "$setup_type" == "iso" ]; then return 0 fi - return 0 + return 1 } # Check entire setup log for errors or unexpected salt states @@ -54,7 +54,8 @@ log_has_errors() { # For ISO installs, we know nothing else can be running on this server, so there should be # nothing in any mail spool dir. cron_error_in_mail_spool() { - if find /var/spool/mail/ -type f -size +0 &> /dev/null; then + count=$(find /var/spool/mail/ -type f -size +0 | wc -l) + if [[ $count -ne 0 ]]; then return 0 fi return 1