fix ossec fields

2025-12-06 09:12:45 +01:00 · 2020-03-24 15:42:31 +00:00
parent 239e0a0cb6
commit ef808875f4
1 changed files with 46 additions and 45 deletions
--- a/salt/elasticsearch/files/ingest/ossec.alert
+++ b/salt/elasticsearch/files/ingest/ossec.alert
@@ -8,14 +8,15 @@
    { "rename":         { "field": "message2.decoder",                          "target_field": "decoder",              "ignore_missing": true  } },
    { "rename":         { "field": "message2.full_log",                         "target_field": "log.full",             "ignore_missing": true  } },
    { "rename":         { "field": "message2.id",                               "target_field": "log.id.id",                    "ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.location", 			"target_field": "location",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.location",                         "target_field": "log.location",         "ignore_missing": true  } },
    { "rename":         { "field": "message2.manager",                          "target_field": "manager",              "ignore_missing": true  } },
    { "rename":         { "field": "message2.predecoder",                       "target_field": "predecoder",           "ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.timestamp", 			"target_field": "timestamp",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.timestamp",                        "target_field": "event.timestamp",              "ignore_missing": true  } },
    { "rename":         { "field": "message2.previous_log",                        "target_field": "log.previous_log",            "ignore_missing": true  } },
    { "rename":         { "field": "message2.previous_output",                        "target_field": "log.previous_output",            "ignore_missing": true  } },
    { "rename":         { "field": "message2.rule",                             "target_field": "rule",         "ignore_missing": true  } },
-    { "rename": 	{ "field": "data.command", 				"target_field": "command",		"ignore_missing": true 	} },
+    { "rename":         { "field": "message2.syscheck",                         "target_field": "host.syscheck",        "ignore_missing": true  } },
+    { "rename":         { "field": "data.command",                              "target_field": "process.command_line",         "ignore_missing": true  } },
    { "rename":         { "field": "data.dstip",                                "target_field": "destination.ip",       "ignore_missing": true  } },
    { "rename":         { "field": "data.dstport",                              "target_field": "destination.port",     "ignore_missing": true  } },
    { "rename":         { "field": "data.dstuser",                              "target_field": "user.escalated",       "ignore_missing": true  } },