# Updated by: Mike Reeves # Last Update: 11/1/2018 input { file { path => "/suricata/eve.json" type => "ids" add_field => { "engine" => "suricata" } } file { path => "/nsm/zeek/logs/current/conn*.log" type => "zeek.conn" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dce_rpc*.log" type => "zeek.dce_rpc" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dhcp*.log" type => "zeek.dhcp" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dnp3*.log" type => "zeek.dnp3" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dns*.log" type => "zeek.dns" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dpd*.log" type => "zeek.dpd" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/files*.log" type => "zeek.files" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ftp*.log" type => "zeek.ftp" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/http*.log" type => "zeek.http" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/intel*.log" type => "zeek.intel" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/irc*.log" type => "zeek.irc" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/kerberos*.log" type => "zeek.kerberos" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/modbus*.log" type => "zeek.modbus" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/mysql*.log" type => "zeek.mysql" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/notice*.log" type => "zeek.notice" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ntlm*.log" type => "zeek.ntlm" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/pe*.log" type => "zeek.pe" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/radius*.log" type => "zeek.radius" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rdp*.log" type => "zeek.rdp" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rfb*.log" type => "zeek.rfb" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/signatures*.log" type => "zeek.signatures" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/sip*.log" type => "zeek.sip" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_files*.log" type => "zeek.smb_files" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_mapping*.log" type => "zeek.smb_mapping" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smtp*.log" type => "zeek.smtp" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/snmp*.log" type => "zeek.snmp" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/socks*.log" type => "zeek.socks" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/software*.log" type => "zeek.software" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssh*.log" type => "zeek.ssh" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssl*.log" type => "zeek.ssl" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/syslog*.log" type => "zeek.syslog" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/tunnel*.log" type => "zeek.tunnels" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/weird*.log" type => "zeek.weird" tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/x509*.log" type => "zeek.x509" tags => ["zeek"] } file { path => "/wazuh/alerts/alerts.json" type => "ossec" } # file { # path => "/wazuh/archives/archives.json" # type => "ossec_archive" # } file { path => "/osquery/logs/result.log" type => "osquery" tags => ["osquery"] } file { path => "/strelka/strelka.log" type => "strelka" } } filter { if "import" in [tags] { mutate { #add_tag => [ "conf_file_0007"] } } }