mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
35 lines
1.2 KiB
Plaintext
35 lines
1.2 KiB
Plaintext
# Original Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Wes Lambert
|
|
# Last Update: 12/14/2017
|
|
#
|
|
# This conf file is based on accepting logs for socks.log from Bro systems
|
|
|
|
# Parse using csv
|
|
filter {
|
|
if [type] == "bro_socks" {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
csv {
|
|
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","user","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"]
|
|
separator => " "
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1105"]
|
|
}
|
|
}
|
|
}
|
|
# Parse using grok
|
|
#filter {
|
|
# if [type] == "bro_socks" {
|
|
# # This is the initial parsing of the log
|
|
# grok {
|
|
# match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<version>(.*?))\t(?<user>(.*?))\t(?<password>(.*?))\t(?<status>(.*))\t(?<request_host>(.*))\t(?<request_name>(.*))\t(?<request_port>(.*))\t(?<bound_host>(.*))\t(?<bound_name>(.*))\t(?<bound_port>(.*))" ]
|
|
# }
|
|
# mutate {
|
|
# #add_tag => [ "conf_file_1122"]
|
|
# }
|
|
# }
|
|
#}
|