From e023aeb9be52f752c3c857a55baa5c9219185df9 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 1 Apr 2020 21:27:25 +0000
Subject: [PATCH] use agent name for observer name

---
 salt/elasticsearch/files/ingest/suricata.common | 1 +
 salt/elasticsearch/files/ingest/zeek.common     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common
index c5009f31e..4a1f293b2 100644
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -8,6 +8,7 @@
     { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
     { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
     { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
+    { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
     { "remove":         { "field": ["agent"],     "ignore_failure": true                                                                  } },
     { "pipeline": { "name": "common" } }
   ]
diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common
index 88949353c..fe1e50fe1 100644
--- a/salt/elasticsearch/files/ingest/zeek.common
+++ b/salt/elasticsearch/files/ingest/zeek.common
@@ -15,6 +15,7 @@
     { "dot_expander":   { "field": "id.resp_p",                 "path": "message2",                     "ignore_failure": true  } },
     { "rename":         { "field": "message2.id.resp_p",        "target_field": "destination.port",     "ignore_missing": true  } },
     { "set":         { "field": "server.port",        "value": "{{destination.port}}"  } },
+    { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
     { "date":		{ "field": "message2.ts",	"target_field": "@timestamp",	"formats": ["ISO8601", "UNIX"], "ignore_failure": true	} },
     { "remove":		{ "field": ["agent"],	"ignore_failure": true									} },
     { "pipeline":	{ "name": "common" 													} }