diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert index 612144c6e..0abadc290 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_activate_session_client_software_cert", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info index bd1266d39..90cdf2b62 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_diagnostic_info", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id index 83469ef53..08d8a672e 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_locale_id", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index b9a5c1de6..83d388082 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -1,16 +1,16 @@ { "description" : "zeek.opcua_binary_browse", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info new file mode 100644 index 000000000..3d58d8030 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point new file mode 100644 index 000000000..ce971109b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_request_continuation_point", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.continuation_point", "target_field": "opcua.continuation_point", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references index 6191020a7..960a0a939 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references @@ -1,22 +1,22 @@ { "description" : "zeek.opcua_binary_browse_response_references", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, - { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result index 8c0bff894..857e7ffb5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_browse_result", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery new file mode 100644 index 000000000..cf9a56135 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_create_session_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_uri", "target_field": "opcua.discovery_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index 719733706..79d8ac067 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_create_session_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token index 45f0b8f43..722ca2fd0 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_create_session_user_token", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription index 4087d7636..832ac75b1 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_create_subscription", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail new file mode 100644 index 000000000..170c35be0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_binary_diag_info_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_diag_level", "target_field": "opcua.inner_diag_level", "ignore_missing": true } }, + { "rename": { "field": "message2.has_symbolic_id", "target_field": "opcua.has_symbolic_id", "ignore_missing": true } }, + { "rename": { "field": "message2.has_namespace_uri", "target_field": "opcua.has_namespace_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale", "target_field": "opcua.has_locale", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale_txt", "target_field": "opcua.has_locale_txt", "ignore_missing": true } }, + { "rename": { "field": "message2.has_addl_info", "target_field": "opcua.has_addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.addl_info", "target_field": "opcua.addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_stat_code", "target_field": "opcua.has_inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_stat_code", "target_field": "opcua.inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_diag_info", "target_field": "opcua.has_inner_diag_info", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints index 2b80c97a8..51f9349fc 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_get_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index 876b050a3..072d6bd31 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_get_endpoints_description", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery new file mode 100644 index 000000000..eeaf91dcb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id new file mode 100644 index 000000000..3716b3bb5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_locale_id", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri new file mode 100644 index 000000000..65309e588 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_profile_uri", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.profile_uri", "target_field": "opcua.profile_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token index 539225b60..524456511 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_get_endpoints_user_token", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel index e6baef81e..59c41206d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel @@ -1,15 +1,15 @@ { "description" : "zeek.opcua_binary_opensecure_channel", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server_proto_ver", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.sec_token_sec_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_id", "target_field": "opcua.sec_token_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_created_at", "target_field": "opcua.sec_token_created_at", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_revised_time", "target_field": "opcua.sec_token_revised_time", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read index 8d951e8d5..9eee12ff7 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read index c601a5dff..cbc829a04 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -1,16 +1,15 @@ { "description" : "zeek.opcua_binary_read_nodes_to_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results index e54afc469..49d14d404 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results @@ -1,12 +1,17 @@ { "description" : "zeek.opcua_binary_read_results", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, - { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_encoding_mask", "target_field": "opcua.data_variant_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type", "target_field": "opcua.data_variant_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type_str", "target_field": "opcua.data_variant_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type", "target_field": "opcua.built_in_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type_str", "target_field": "opcua.built_in_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link index 9f5275893..1dca46473 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read_results_link", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index c19c7a6e4..e1bff04a4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_status_code_detail", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl new file mode 100644 index 000000000..c044c08a5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm_read_szl", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "s7.method", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id", "target_field": "s7.szl_id", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id_name", "target_field": "s7.szl_id_name", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_index", "target_field": "s7.szl_index", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code", "target_field": "s7.return_code", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code_name", "target_field": "s7.return_code_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +}