CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-02 09:28:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b34bdece97548af2fae4cbd6233f65f8e733c9b
securityonion/salt/logstash/pipelines/config/1108_preprocess_bro_kerberos.conf
T

57 lines
2.0 KiB
Plaintext
Raw Blame History

# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 2/7/2018
#
# This conf file is based on accepting logs for kerberos.log from Bro systems
filter {
if [type] == "bro_kerberos" {
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "ts" => "timestamp" }
#uid
rename => { "id.orig_h" => "source_ip" }
rename => { "id.orig_p" => "source_port" }
rename => { "id.resp_h" => "destination_ip" }
rename => { "id.resp_p" => "destination_port" }
#request_type
#client
#service
rename => { "success" => "kerberos_success" }
rename => { "error_msg" => "error_message" }
rename => { "from" => "valid_from" }
rename => { "till" => "valid_till" }
#cipher
#forwardable
#renewable
rename => { "client_cert_subject" => "client_certificate_subject" }
rename => { "client_cert_fuid" => "client_certificate_fuid" }
rename => { "server_cert_subject" => "server_certificate_subject" }
rename => { "server_cert_fuid" => "server_certificate_fuid" }
}
mutate {
convert => { "kerberos_success" => "string" }
convert => { "renewable" => "string" }
}
} else {
mutate {
gsub => [ "message", "[\"']", "" ]
}
csv {
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"]
separator => " "
}
}
mutate {
#add_tag => [ "conf_file_1108"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink