CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
a3dba9b5667ab35583db64ee7d315f7ba58ba9d3
securityonion/salt/elasticsearch/files/ingest/zeek.kerberos

24 lines
2.2 KiB
Plaintext
Raw Blame History

{
"description" : "zeek.kerberos",
"processors" : [
{ "set": { "field": "event.dataset", "value": "kerberos" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.request_type", "target_field": "kerberos.request_type", "ignore_missing": true } },
{ "rename": { "field": "message2.client", "target_field": "kerberos.client", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "kerberos.service", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "kerberos.success", "ignore_missing": true } },
{ "rename": { "field": "message2.error_msg", "target_field": "kerberos.error_message", "ignore_missing": true } },
{ "rename": { "field": "message2.from", "target_field": "kerberos.ticket.valid.from", "ignore_missing": true } },
{ "rename": { "field": "message2.till", "target_field": "kerberos.ticket.valid.until", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } },
{ "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}
Reference in New Issue View Git Blame Copy Permalink