mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-02-23 07:25:31 +01:00
53 lines
1.8 KiB
Plaintext
53 lines
1.8 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
#
|
|
# This conf file is based on accepting logs for rdp.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_rdp" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#cookie
|
|
#result
|
|
#security_protocol
|
|
#client_channels
|
|
#keyboard_layout
|
|
#client_build
|
|
#client_name
|
|
rename => { "client_dig_product_id" => "client_digital_product_id" }
|
|
#desktop_width
|
|
#desktop_height
|
|
#requested_color_depth
|
|
rename => { "cert_type" => "certificate_type" }
|
|
rename => { "cert_count" => "certificate_count" }
|
|
rename => { "cert_permanent" => "certificate_permanent" }
|
|
#encryption_level
|
|
#encryption_method
|
|
}
|
|
} else {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
csv {
|
|
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","client_channels","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
|
|
separator => " "
|
|
}
|
|
}
|
|
|
|
mutate {
|
|
#add_tag => [ "conf_file_1110"]
|
|
}
|
|
}
|
|
}
|