From bf8798f1d13ee3c5bbf455122c19b0dcfaa6d7c1 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 30 Jun 2020 03:04:01 +0000
Subject: [PATCH] Fix krb client/server cert subject parsing

---
 salt/elasticsearch/files/ingest/zeek.kerberos | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos
index 33381cd2d..917b38b54 100644
--- a/salt/elasticsearch/files/ingest/zeek.kerberos
+++ b/salt/elasticsearch/files/ingest/zeek.kerberos
@@ -13,9 +13,9 @@
     { "rename": 	{ "field": "message2.cipher", 		"target_field": "kerberos.ticket.cipher",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.forwardable", 	"target_field": "kerberos.ticket.forwardable",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.renewable", 	"target_field": "kerberos.ticket.renewable",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_cert_subject", 	"target_field": "kerberos.client.certificate.subject",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_cert_subject", 	"target_field": "kerberos.client_certificate.subject",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.client_cert_fuid", 	"target_field": "log.id.client_certificate_fuid",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_cert_subject", 	"target_field": "kerberos.server.certificate.subject",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_cert_subject", 	"target_field": "kerberos.server_certificate.subject",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.server_cert_fuid", 	"target_field": "log.id.server_certificate_fuid",	"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]