From fcfd74ec1ef7fdeeae920e1594bccf7fc55e6b44 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 14:14:54 -0600 Subject: [PATCH] zeek.analyzer format json --- salt/elasticsearch/files/ingest/zeek.analyzer | 126 +++++++++++++++--- 1 file changed, 107 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.analyzer b/salt/elasticsearch/files/ingest/zeek.analyzer index 2f76c5ecb..7b0c3dfa7 100644 --- a/salt/elasticsearch/files/ingest/zeek.analyzer +++ b/salt/elasticsearch/files/ingest/zeek.analyzer @@ -1,20 +1,108 @@ { - "description" : "zeek.dpd", - "processors" : [ - { "set": { "field": "event.dataset", "value": "dpd" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.analyzer", "target_field": "observer.analyzer", "ignore_missing": true } }, - { "rename": { "field": "message2.failure_reason", "target_field": "error.reason", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } - ] -} + "description": "zeek.dpd", + "processors": [ + { + "set": { + "field": "event.dataset", + "value": "dpd" + } + }, + { + "remove": { + "field": [ + "host" + ], + "ignore_failure": true + } + }, + { + "json": { + "field": "message", + "target_field": "message2", + "ignore_failure": true + } + }, + { + "dot_expander": { + "field": "id.orig_h", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.orig_h", + "target_field": "source.ip", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.orig_p", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.orig_p", + "target_field": "source.port", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.resp_h", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.resp_h", + "target_field": "destination.ip", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.resp_p", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.resp_p", + "target_field": "destination.port", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.proto", + "target_field": "network.protocol", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.analyzer", + "target_field": "observer.analyzer", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.failure_reason", + "target_field": "error.reason", + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "zeek.common" + } + } + ] +} \ No newline at end of file