mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-09 02:32:46 +01:00
31 lines
1018 B
Plaintext
31 lines
1018 B
Plaintext
# Original Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Wes Lambert
|
|
# Last Update: 12/14/2017
|
|
#
|
|
# This conf file is based on accepting logs for mysql.log from Bro systems
|
|
#
|
|
# Parse using grok
|
|
filter {
|
|
if [type] == "bro_mysql" {
|
|
grok {
|
|
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<mysql_command>(.*?))\t(?<mysql_argument>(.*?))\t(?<mysql_success>(.*?))\t(?<rows>(.*?))\t(?<response>(.*))" ]
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1121"]
|
|
}
|
|
}
|
|
}
|
|
|
|
# Reverting to grok for now, due to double-quoted values in log file
|
|
# Parse using csv filter
|
|
#filter {
|
|
# if [type] == "bro_mysql" {
|
|
# csv {
|
|
# columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","mysql_command","mysql_argument","mysql_success","rows","response"]
|
|
# separator => " "
|
|
# quote_char=
|
|
# }
|
|
# }
|
|
#}
|