securityonion/salt/logstash/pipelines/config/1114_preprocess_bro_software.conf

# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 2/7/2018
#
# This conf file is based on accepting logs for software.log from Bro systems
filter {
  if [type] == "bro_software" {
        # If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
        if [message] =~ /^{.*}$/ {
                json {
                        source => "message"
                }

                mutate {
                        rename => { "ts" => "timestamp" }
                        #uid
                        rename => { "host" => "source_ip" }
                        rename => { "host_p" => "source_port" }
			#software_type
			#name
			rename => { "version.major" => "version_major" }
			rename => { "version.minor" => "version_minor" }
			rename => { "version.minor2" => "version_minor2" }
			rename => { "version.minor3" => "version_minor3" }
			rename => { "version.addl" => "version_additional_info" }
			#unparsed_version
		}

		mutate {
			convert => { "version_major" => "string" }
			convert => { "version_minor" => "string" }
		}

	} else {
	    mutate {
	      gsub => [ "message", "[\"']", "" ]
	    }
	    csv {
	      columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"]
	      separator => "	"
	    }
	}

	mutate {
		#add_tag => [ "conf_file_1114"]
	}
  }	
}