securityonion/salt/elasticsearch/files/ingest/zeek.cip

{
  "description" : "zeek.cip",
  "processors" : [
    { "set": { "field": "event.dataset", "value": "cip" } },
    { "remove":         { "field": ["host"],											"ignore_failure": true	} },
    { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			        "ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_sequence_count",	"target_field": "cip.sequence_count",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.direction",		"target_field": "cip.direction",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_service_code",		"target_field": "cip.service_code",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.cip_service",		"target_field": "cip.service",				"ignore_missing": true 	} },
    { "convert":	{ "field": "cip.service",			"type": "string",					"ignore_missing": true  } },
    { "rename": 	{ "field": "message2.cip_status",		"target_field": "cip.status_code",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.class_id",			"target_field": "cip.request.path.class.id",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.class_name",		"target_field": "cip.request.path.class.name",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.instance_id",		"target_field": "cip.request.path.instance.id",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.attribute_id",		"target_field": "cip.request.path.attribute.id",	"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common" } }
  ]
}