Fix krb client/server cert subject parsing

2025-12-06 17:22:49 +01:00 · 2020-06-30 03:04:01 +00:00
parent 8f5da66335
commit bf8798f1d1
1 changed files with 2 additions and 2 deletions
--- a/salt/elasticsearch/files/ingest/zeek.kerberos
+++ b/salt/elasticsearch/files/ingest/zeek.kerberos
@@ -13,9 +13,9 @@
    { "rename": 	{ "field": "message2.cipher", 		"target_field": "kerberos.ticket.cipher",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.forwardable", 	"target_field": "kerberos.ticket.forwardable",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.renewable", 	"target_field": "kerberos.ticket.renewable",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.client_cert_subject", 	"target_field": "kerberos.client.certificate.subject",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_cert_subject", 	"target_field": "kerberos.client_certificate.subject",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.client_cert_fuid", 	"target_field": "log.id.client_certificate_fuid",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.server_cert_subject", 	"target_field": "kerberos.server.certificate.subject",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_cert_subject", 	"target_field": "kerberos.server_certificate.subject",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.server_cert_fuid", 	"target_field": "log.id.server_certificate_fuid",	"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]