CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
68eb2d3ceba58bc6df83707e5b6d9c046a74f446
securityonion/salt/elasticsearch/files/ingest/zeek.http
Josh Brower c74ace89ba Initial support - Ingest community_id
2020-05-21 14:34:00 -04:00

36 lines
3.4 KiB
HTTP
Raw Blame History

{
"description" : "zeek.http",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len","target_field": "http.response.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } },
{ "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } },
{ "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
{ "set": { "field": "network.transport", "value": "tcp" } },
{ "pipeline": { "name": "zeek.common" } }
]
}
Reference in New Issue View Git Blame Copy Permalink