diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index a65742f99..d8de06f31 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -39,6 +39,9 @@ { "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_missing": true } }, { "rename": { "field": "category", "target_field": "event.category", "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } }, + { "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, + { "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, + { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "remove": { "field": [ "index_name_prefix", "message2", "type" ], diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509 index 9c4c4aa1d..49a79dbd0 100644 --- a/salt/elasticsearch/files/ingest/zeek.x509 +++ b/salt/elasticsearch/files/ingest/zeek.x509 @@ -3,7 +3,7 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } }, + { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } }, { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index b32794f5b..b8c12d80f 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -19,7 +19,7 @@ output { elasticsearch { hosts => "{{ ES }}" index => "so-import-%{+YYYY.MM.dd}" - template_name => "logstash" + template_name => "so-common" template => "/so-common-template.json" template_overwrite => true } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 4ea9cfe12..fdcbb0eb1 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -21,7 +21,7 @@ output { elasticsearch { hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" - template_name => "logstash" + template_name => "so-common" template => "/so-common-template.json" template_overwrite => true } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index 2c9796b5f..41c82e21e 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -21,7 +21,7 @@ output { elasticsearch { hosts => "{{ ES }}" index => "so-firewall-%{+YYYY.MM.dd}" - template_name => "logstash" + template_name => "so-common" template => "/so-common-template.json" template_overwrite => true } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 640c50f39..e7e917727 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -21,6 +21,7 @@ output { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" index => "so-ids-%{+YYYY.MM.dd}" + template_name => "so-common" template => "/so-common-template.json" } }