Files
securityonion/salt/logstash/pipelines/config/1110_preprocess_bro_rdp.conf

53 lines
1.8 KiB
Plaintext

# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
#
# This conf file is based on accepting logs for rdp.log from Bro systems
filter {
if [type] == "bro_rdp" {
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "ts" => "timestamp" }
#uid
rename => { "id.orig_h" => "source_ip" }
rename => { "id.orig_p" => "source_port" }
rename => { "id.resp_h" => "destination_ip" }
rename => { "id.resp_p" => "destination_port" }
#cookie
#result
#security_protocol
#client_channels
#keyboard_layout
#client_build
#client_name
rename => { "client_dig_product_id" => "client_digital_product_id" }
#desktop_width
#desktop_height
#requested_color_depth
rename => { "cert_type" => "certificate_type" }
rename => { "cert_count" => "certificate_count" }
rename => { "cert_permanent" => "certificate_permanent" }
#encryption_level
#encryption_method
}
} else {
mutate {
gsub => [ "message", "[\"']", "" ]
}
csv {
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","client_channels","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"]
separator => " "
}
}
mutate {
#add_tag => [ "conf_file_1110"]
}
}
}