# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Wes Lambert
# Last Update: 12/14/2017
#
# This conf file is based on accepting logs for ssh.log from Bro systems
filter {
  if [type] == "bro_ssh" {
    # This is the initial parsing of the log
    mutate {
      gsub => [ "message", "[\"']", "" ]
    }
    csv {
      columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"]
      separator => "	"
    }
	mutate {
		#add_tag => [ "conf_file_1115"]
	}
  }
}