parse Bro logs using Elasticsearch ingest node

2025-12-09 10:42:54 +01:00 · 2019-09-23 16:04:23 -04:00
parent c685089b2b
commit 8472b24a67
48 changed files with 1375 additions and 123 deletions
--- a/salt/elasticsearch/files/ingest/bro_rdp
+++ b/salt/elasticsearch/files/ingest/bro_rdp
@@ -0,0 +1,31 @@
+{
+  "description" : "bro_rdp",
+  "processors" : [
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.uid", 	 	"target_field": "uid",			"ignore_missing": true 	} },
+    { "dot_expander": 	{ "field": "id.orig_h", 		"path": "message2", 			"ignore_failure": true 	} },
+    { "rename": 	{ "field": "message2.id.orig_h", 	"target_field": "source_ip",		"ignore_missing": true 	} },
+    { "dot_expander": 	{ "field": "id.orig_p", 		"path": "message2",			"ignore_failure": true 	} },
+    { "rename": 	{ "field": "message2.id.orig_p", 	"target_field": "source_port",		"ignore_missing": true 	} },
+    { "dot_expander": 	{ "field": "id.resp_h", 		"path": "message2",			"ignore_failure": true 	} },
+    { "rename": 	{ "field": "message2.id.resp_h", 	"target_field": "destination_ip",	"ignore_missing": true 	} },
+    { "dot_expander": 	{ "field": "id.resp_p", 		"path": "message2",			"ignore_failure": true 	} },
+    { "rename": 	{ "field": "message2.id.resp_p", 	"target_field": "destination_port",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cookie", 		"target_field": "cookie",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.result", 		"target_field": "result",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.security_protocol","target_field": "security_protocol",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.keyboard_layout", 	"target_field": "keyboard_layout",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_build", 	"target_field": "client_build",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_name", 	"target_field": "client_name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_dig_product_id", 	"target_field": "client_digital_product_id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.desktop_width", 	"target_field": "desktop_width",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.desktop_height", 	"target_field": "desktop_height",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.requested_color_depth", 	"target_field": "requested_color_depth",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cert_type", 	"target_field": "certificate_type",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cert_count", 	"target_field": "certificate_count",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cert_permanent", 	"target_field": "certificate_permanent","ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.encryption_level",	"target_field": "encryption_level",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.encryption_method","target_field": "encryption_method",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "bro_common"                                                                                   } }
+  ]
+}