securityonion/salt/logstash/pipelines/config/1104_preprocess_bro_files.conf

# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 2/7/2018
#
# This conf file is based on accepting logs for files.log from Bro systems
filter {
  if [type] == "bro_files" {
	# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
	if [message] =~ /^{.*}$/ {
		json {
			source => "message"
		}

		mutate {
			rename => { "ts" => "timestamp" }
			#fuid
			rename => { "tx_hosts" => "file_ip" }
			rename => { "rx_hosts" => "destination_ip" }
			rename => { "conn_uids" => "connection_uids" }
			#source field
			#depth field
			rename => { "analyzers" => "analyzer" }
			rename => { "mime_type" => "mimetype" }
			rename => { "filename" => "file_name" }
			#duration
			#local_orig
			#is_orig
			#seen_bytes
			#total_bytes
			#missing_bytes
			#overflow_bytes
			rename => { "timedout" => "timed_out" }
			#parent_fuid
			#md5
			#sha1
			#sha256
			#extracted
			#extracted_cutoff
			#extracted_size
		}
	} else {

	    csv {
	      columns => ["timestamp","fuid","file_ip","destination_ip","connection_uids","source","depth","analyzer","mimetype","file_name","duration","local_orig","is_orig","seen_bytes","total_bytes","missing_bytes","overflow_bytes","timed_out","parent_fuid","md5","sha1","sha256","extracted","extracted_cutoff","extracted_size"]
	      separator => "	"
	    }
            if [destination_ip] =~ /,/ {
              mutate {
                split => { "destination_ip" => "," }
              }
            }
            if [file_ip] =~ /,/ {
              mutate {
                split => { "file_ip" => "," }
              }
            }
	}

	mutate {
		#add_tag => [ "conf_file_1104"]
	}
  }
}