| input { | |
| file { | |
| type => "bro_logs" | |
| path => "/Analysis/Pcaps/*.log" | |
| start_position => beginning | |
| codec => json | |
| sincedb_path => "/var/log/.bro_sincedb" | |
| } | |
| } | |
| filter { | |
| date { | |
| match => [ "ts", "UNIX" ] | |
| target => "@timestamp" | |
| remove_field => [ "ts" ] | |
| } | |
| if [log_path] == "weird" { | |
| de_dot { | |
| fields => [ | |
| "id.orig_p", | |
| "id.resp_p" | |
| ] | |
| } | |
| } | |
| if [log_path] == "software" { | |
| de_dot { | |
| fields => [ | |
| "version.major", | |
| "version.minor", | |
| "version.minor2", | |
| "version.minor3", | |
| "version.addl" | |
| ] | |
| } | |
| } | |
| if [log_path] == "x509" { | |
| de_dot { | |
| fields => [ | |
| "certificate.version", | |
| "certificate.serial", | |
| "certificate.subject", | |
| "certificate.issuer", | |
| "certificate.exponent", | |
| "certificate.curve", | |
| "sans.dns", | |
| "basic_constraints.ca" | |
| ] | |
| } | |
| } | |
| if [log_path] == "intel" { | |
| de_dot { | |
| fields => [ | |
| "seen.indicator", | |
| "seen.where", | |
| "seen.node" | |
| ] | |
| } | |
| } | |
| mutate { | |
| rename => ["id.orig_p", "src_port"] | |
| rename => ["id.resp_p", "dst_port"] | |
| rename => ["id.orig_h", "src_ip"] | |
| rename => ["id.resp_h", "dst_ip"] | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| hosts => "localhost" | |
| index => "bro" | |
| document_type => "Bro" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment