# Original Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Wes Lambert
# Last Update: 12/14/2017
#
# This conf file is based on accepting logs for mysql.log from Bro systems
#
# Parse using grok
filter {
  if [type] == "bro_mysql" {
    grok {
      match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
    }
	mutate {
		#add_tag => [ "conf_file_1121"]
	}
  }
}

# Reverting to grok for now, due to double-quoted values in log file
# Parse using csv filter
#filter {
#  if [type] == "bro_mysql" {
#    csv {
#      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
#    separator => "	"
#    quote_char=
#    }
#  }
#}