mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-29 07:57:52 +02:00
m0duspwnens
57 lines
2.1 KiB
Plaintext
57 lines
2.1 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks and Wes Lambert
|
|
# Last Update: 1/3/2019
|
|
#
|
|
# This conf file is based on accepting logs for dhcp.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_dhcp" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#mac
|
|
#assigned_ip
|
|
#lease_time
|
|
rename => { "trans_id" => "transaction_id" }
|
|
# new dhcp log format
|
|
rename => { "assigned_addr" => "assigned_ip" }
|
|
rename => { "client_addr" => "source_ip" }
|
|
rename => { "server_addr" => "destination_ip" }
|
|
rename => { "requested_addr" => "requested_ip" }
|
|
rename => { "domain" => "domain_name" }
|
|
rename => { "host_name" => "hostname" }
|
|
rename => { "msg_types" => "message_types" }
|
|
rename => { "uids" => "uid" }
|
|
}
|
|
} else {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
# Bro logs in TSV format
|
|
csv {
|
|
columns => [ "timestamp", "uid", "source_ip", "destination_ip", "mac", "hostname", "client_fqdn", "domain_name", "requested_ip", "assigned_ip", "lease_time","client_message", "server_message", "message_types", "duration" ]
|
|
separator => " "
|
|
}
|
|
# Remove fields with empty values (-) to prevent field data type conflict
|
|
ruby {
|
|
code =>"
|
|
hash = event.to_hash.each do |key,value|
|
|
if value == '-'
|
|
event.remove(key)
|
|
end
|
|
end"
|
|
}
|
|
}
|
|
}
|
|
}
|