mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
22 lines
1.1 KiB
Plaintext
22 lines
1.1 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
# Last Update: 5/15/2017
|
|
#
|
|
# This conf file is based on accepting logs for http.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_http" {
|
|
grok {
|
|
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<virtual_host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<version>(.*?))\t(?<useragent>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<status_code>(.*?))\t(?<status_message>(.*?))\t(?<info_code>(.*?))\t(?<info_message>(.*?))\t(?<tags>(.*))\t(?<user>(.*))\t(?<password>(.*))\t(?<proxied>(.*))\t(?<orig_fuids>(.*))\t(?<orig_filenames>(.*?))\t(?<orig_mime_types>(.*))\t(?<resp_fuids>(.*))\t(?<resp_filenames>(.*?))\t(?<resp_mime_types>(.*))" ]
|
|
}
|
|
if [useragent] == "-" {
|
|
mutate {
|
|
remove_field => [ "useragent" ]
|
|
}
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1106"]
|
|
}
|
|
}
|
|
}
|