From 167051af2810b7f519dfdb8a255f1424a8763755 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 19 May 2023 15:44:09 -0400 Subject: [PATCH] Exclude Zeek's reporter.log from being picked up by Elastic Agent --- salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json index f0127f2ae..03543b124 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json @@ -20,7 +20,7 @@ "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|packet_filter|stats|stderr|stdout.log$\"]\n" + "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|packet_filter|reporter|stats|stderr|stdout.log$\"]\n" } } }