change suricata parsers from dataset to event.dataset

2025-12-06 17:22:49 +01:00 · 2023-06-08 12:31:31 -04:00
parent d1c86cb9ff
commit e5f76a9c6e
5 changed files with 33 additions and 34 deletions
--- a/salt/elasticsearch/files/ingest/suricata.fileinfo
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.fileinfo",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "file"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "file"  						} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.filename", 	"target_field": "file.name",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/suricata.flow
+++ b/salt/elasticsearch/files/ingest/suricata.flow
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.flow",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "conn"  							} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.state", 		"target_field": "connection.state",		"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/suricata.krb5
+++ b/salt/elasticsearch/files/ingest/suricata.krb5
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.krb5",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "kerberos"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "kerberos"  							} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto",		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename":         { "field": "message2.krb5.msg_type",		"target_field": "kerberos.request_type",	"ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/suricata.tls
+++ b/salt/elasticsearch/files/ingest/suricata.tls
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.tls",
  "processors" : [
-    { "set":      	{ "field": "dataset",        			"value": "ssl"  								} },
+    { "set":      	{ "field": "event.dataset",			"value": "ssl"  								} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
    { "rename":         { "field": "message2.tls.subject",              "target_field": "ssl.certificate.subject",		"ignore_missing": true  } },
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -30,7 +30,6 @@
    { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "file.extracted.cutoff",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",		"ignore_missing": true 	} },
-    { "set":            { "field": "dataset",                   "value": "file"                                                 } },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }