From 71e3b2d1fb8f19ac92143c34dbec6207ded9cdd5 Mon Sep 17 00:00:00 2001
From: Peter Di Giorgio <16980376+lock-wire@users.noreply.github.com>
Date: Thu, 27 Oct 2022 15:40:07 -0700
Subject: [PATCH] Create zeek.bacnet

---
 salt/elasticsearch/files/ingest/zeek.bacnet | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/zeek.bacnet

diff --git a/salt/elasticsearch/files/ingest/zeek.bacnet b/salt/elasticsearch/files/ingest/zeek.bacnet
new file mode 100644
index 000000000..d4484aa4a
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.bacnet
@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.bacnet",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "bacnet.is.originator",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.bvlc_function", 	"target_field": "bacnet.bclv.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_type", 		"target_field": "bacnet.pdu.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_service", 		"target_field": "bacnet.pdu.service",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.invoke_id", 		"target_field": "bacnet.invoke.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.result_code", 		"target_field": "bacnet.result.code",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}