CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-27 03:13:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
6f5d93b6eb41d4922e8cd0b3753a37f095d2e426
securityonion/salt/logstash/files/conf.d/1126_preprocess_bro_sip.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

33 lines
1.5 KiB
Plaintext
Raw Blame History

# Author: Wes Lambert
# wlambertts@gmail.com
#
# Adapted from existing filters provided by Justin Henderson
#
# Last Update: 05/12/2017
#
# This conf file is based on accepting logs for sip.log from Bro systems
#
# Parse using csv filter
#filter {
# if [type] == "bro_sip" {
# csv {
# columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","trans_depth","method","uri","date","request_from","request_to","response_from","response_to","reply_to","call_id","seq","subject","request_path","response_path","user_agent","status_code","status_msg","warning","request_body_len","response_body_len","content_type"]
# separator => " "
# }
# }
#}
# some sip logs have quotes which cause csvparsefailures, so let's fall back to grok
# Parse using grok
filter {
if [type] == "bro_sip" {
grok {
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<uri>(.*?))\t(?<date>(.*?))\t(?<request_from>(.*?))\t(?<request_to>(.*?))\t(?<response_from>(.*?))\t(?<response_to>(.*?))\t(?<reply_to>(.*?))\t(?<call_id>(.*?))\t(?<seq>(.*?))\t(?<subject>(.*?))\t(?<request_path>(.*?))\t(?<response_path>(.*?))\t(?<user_agent>(.*?))\t(?<status_code>(.*?))\t(?<status_msg>(.*?))\t(?<warning>(.*?))\t(?<request_body_len>(.*?))\t(?<response_body_len>(.*?))\t(?<content_type>(.*?))$" ]
}
mutate {
add_tag => [ "conf_file_1126"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink