Logstash Module - Change some parsing order

2025-12-09 18:52:52 +01:00 · 2018-10-15 19:24:01 -04:00
parent 4288f8ce62
commit cd823a26f3
2 changed files with 314 additions and 6 deletions
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ b/salt/logstash/conf/conf.enabled.txt.so-master
@@ -12,6 +12,6 @@
 /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+/usr/share/logstash/pipeline.so/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -1,8 +1,3 @@
-# Author: Justin Henderson
-# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
-# Email: justin@hasecuritysolutions.com
-# Last Update: 12/11/2017
-
 input {
  beats {
    port => "5044"
@@ -13,3 +8,316 @@ input {
    tags => [ "beat" ]
  }
 }
+filter {
+  if "ids" in [tags] {
+    mutate {
+      replace => ["type" => "snort"]
+      add_tag => ["snort"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_conn" in [tags] {
+    mutate {
+      replace => ["type" => "bro_conn"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dhcp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dhcp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dns" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dns"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dpd" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dpd"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_files" in [tags] {
+    mutate {
+      replace => ["type" => "bro_files"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ftp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ftp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_http" in [tags] {
+    mutate {
+      replace => ["type" => "bro_http"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_irc" in [tags] {
+    mutate {
+      replace => ["type" => "bro_irc"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_kerberos" in [tags] {
+    mutate {
+      replace => ["type" => "bro_kerberos"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_notice" in [tags] {
+    mutate {
+      replace => ["type" => "bro_notice"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_rdp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_rdp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_signatures" in [tags] {
+    mutate {
+      replace => ["type" => "bro_signatures"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smtp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smtp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_snmp" in [tags] {
+    mutate {
+      replace => ["type" => "bro_snmp"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_software" in [tags] {
+    mutate {
+      replace => ["type" => "bro_software"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ssh" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ssh"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ssl" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ssl"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_syslog" in [tags] {
+    mutate {
+      replace => ["type" => "bro_syslog"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_tunnel" in [tags] {
+    mutate {
+      replace => ["type" => "bro_tunnel"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_weird" in [tags] {
+    mutate {
+      replace => ["type" => "bro_weird"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_mysql" in [tags] {
+    mutate {
+      replace => ["type" => "bro_mysql"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_socks" in [tags] {
+    mutate {
+      replace => ["type" => "bro_socks"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_x509" in [tags] {
+    mutate {
+      replace => ["type" => "bro_x509"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_intel" in [tags] {
+    mutate {
+      replace => ["type" => "bro_intel"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_modbus" in [tags] {
+    mutate {
+      replace => ["type" => "bro_modbus"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_sip" in [tags] {
+    mutate {
+      replace => ["type" => "bro_sip"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_radius" in [tags] {
+    mutate {
+      replace => ["type" => "bro_radius"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_pe" in [tags] {
+    mutate {
+      replace => ["type" => "bro_pe"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_rfb" in [tags] {
+    mutate {
+      replace => ["type" => "bro_rfb"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dnp3" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dnp3"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smb_files" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smb_files"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_smb_mapping" in [tags] {
+    mutate {
+      replace => ["type" => "bro_smb_mapping"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_ntlm" in [tags] {
+    mutate {
+      replace => ["type" => "bro_ntlm"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dce_rpc" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dce_rpc"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_telnet" in [tags] {
+    mutate {
+      replace => ["type" => "bro_telnet"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_openvpn" in [tags] {
+    mutate {
+      replace => ["type" => "bro_openvpn"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_mqtt" in [tags] {
+    mutate {
+      replace => ["type" => "bro_mqtt"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+
+  if "bro_dhcpv6" in [tags] {
+    mutate {
+      replace => ["type" => "bro_dhcpv6"]
+      add_tag => ["bro"]
+      remove_tag => ["beat"]
+    }
+  }
+}