mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-24 09:53:12 +01:00
58 lines
1.8 KiB
Plaintext
58 lines
1.8 KiB
Plaintext
# Original Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
# Last Update: 2/7/2018
|
|
#
|
|
# This conf file is based on accepting logs for mysql.log from Bro systems
|
|
#
|
|
# Parse using grok
|
|
filter {
|
|
if [type] == "bro_mysql" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
rename => { "cmd" => "mysql_command" }
|
|
rename => { "arg" => "mysql_argument" }
|
|
rename => { "success" => "mysql_success" }
|
|
#rows
|
|
#response
|
|
}
|
|
|
|
mutate {
|
|
convert => { "mysql_success" => "string" }
|
|
}
|
|
|
|
} else {
|
|
grok {
|
|
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
|
|
}
|
|
}
|
|
|
|
mutate {
|
|
#add_tag => [ "conf_file_1121"]
|
|
}
|
|
}
|
|
}
|
|
|
|
# Reverting to grok for now, due to double-quoted values in log file
|
|
# Parse using csv filter
|
|
#filter {
|
|
# if [type] == "bro_mysql" {
|
|
# csv {
|
|
# columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
|
|
# separator => " "
|
|
# quote_char=
|
|
# }
|
|
# }
|
|
#}
|