mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-04 02:18:17 +02:00
m0duspwnens
51 lines
1.6 KiB
Plaintext
51 lines
1.6 KiB
Plaintext
# Author: Wes Lambert
|
|
#
|
|
# Adapted from existing filters provided by Justin Henderson
|
|
#
|
|
# Updated by: Doug Burks and Wes Lambert
|
|
# Last Update: 1/2/2019
|
|
#
|
|
# This conf file is based on accepting logs for ntlm.log from Bro systems
|
|
#
|
|
filter {
|
|
if [type] == "bro_ntlm" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#hostname
|
|
rename => { "domainname" => "domain_name" }
|
|
rename => { "success" => "ntlm_success" }
|
|
#status
|
|
}
|
|
} else {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
csv {
|
|
columns => [ "timestamp", "uid", "source_ip", "source_port", "destination_ip", "destination_port", "username", "hostname", "domain_name", "server_nb_computer_name", "server_dns_computer_name", "server_tree_name", "ntlm_success"]
|
|
separator => " "
|
|
}
|
|
ruby {
|
|
code =>"
|
|
hash = event.to_hash.each do |key,value|
|
|
if value == '-'
|
|
event.remove(key)
|
|
end
|
|
end"
|
|
}
|
|
|
|
|
|
}
|
|
}
|
|
}
|