Merge pull request #473 from Security-Onion-Solutions/more_elastic_stuff

More elastic stuff

salt/elasticsearch/files/ingest/zeek.common

@@ -16,7 +16,7 @@
     { "rename":         { "field": "message2.id.resp_p",        "target_field": "destination.port",     "ignore_missing": true  } },
     { "set":         { "field": "server.port",        "value": "{{destination.port}}"  } },
     { "date":		{ "field": "message2.ts",	"target_field": "@timestamp",	"formats": ["ISO8601", "UNIX"], "ignore_failure": true	} },
-    { "remove":		{ "field": ["message2.ts", "path", "agent"],	"ignore_failure": true									} },
+    { "remove":		{ "field": ["agent"],	"ignore_failure": true									} },
     { "pipeline":	{ "name": "common" 													} }
   ]
 }

salt/filebeat/etc/filebeat.yml

@@ -20,7 +20,7 @@ name: {{ HOSTNAME }}
 
 # Sets log level. The default log level is info.
 # Available log levels are: error, warning, info, debug
-logging.level: error
+logging.level: warning
 
 # Enable debug output for selected components. To enable all selectors use ["*"]
 # Other available selectors are "beat", "publish", "service"
@@ -82,7 +82,8 @@ filebeat.inputs:
       - /nsm/zeek/logs/current/{{ LOGNAME }}.log
     fields:
         module: zeek 
-        dataset: {{ LOGNAME }}  
+        dataset: {{ LOGNAME }}
+        category: network
     processors:
     - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]
@@ -100,6 +101,7 @@ filebeat.inputs:
     fields:
       module: suricata
       dataset: alert
+      category: network
 
     processors:
     - drop_fields:
@@ -118,7 +120,7 @@ filebeat.inputs:
     fields:
       module: ossec
       dataset: alert
-
+      category: host
     processors:
     - drop_fields:
         fields: ["source", "prospector", "input", "offset", "beat"]