mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-01-04 07:13:12 +01:00
24 lines
541 B
Plaintext
24 lines
541 B
Plaintext
# Author: Josh Brower
|
|
# Last Update: 12/28/2018
|
|
# If log is tagged osquery and there is an eventid column, then cleanup and parse out the EventData column
|
|
|
|
filter {
|
|
if "osquery" in [tags] and [osquery][columns][eventid] {
|
|
|
|
mutate {
|
|
gsub => ["[osquery][columns][data]", "\\x0A", ""]
|
|
}
|
|
|
|
json {
|
|
source => "[osquery][columns][data]"
|
|
target => "[osquery][columns][data]"
|
|
}
|
|
|
|
mutate {
|
|
merge => { "[osquery][columns]" => "[osquery][columns][data]" }
|
|
remove_field => ["[osquery][columns][data]"]
|
|
}
|
|
|
|
}
|
|
}
|