Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
input {
file {
type => "bro_logs"
path => "/Analysis/Pcaps/*.log"
start_position => beginning
codec => json
sincedb_path => "/var/log/.bro_sincedb"
}
}
filter {
date {
match => [ "ts", "UNIX" ]
target => "@timestamp"
remove_field => [ "ts" ]
}
if [log_path] == "weird" {
de_dot {
fields => [
"id.orig_p",
"id.resp_p"
]
}
}
if [log_path] == "software" {
de_dot {
fields => [
"version.major",
"version.minor",
"version.minor2",
"version.minor3",
"version.addl"
]
}
}
if [log_path] == "x509" {
de_dot {
fields => [
"certificate.version",
"certificate.serial",
"certificate.subject",
"certificate.issuer",
"certificate.exponent",
"certificate.curve",
"sans.dns",
"basic_constraints.ca"
]
}
}
if [log_path] == "intel" {
de_dot {
fields => [
"seen.indicator",
"seen.where",
"seen.node"
]
}
}
mutate {
rename => ["id.orig_p", "src_port"]
rename => ["id.resp_p", "dst_port"]
rename => ["id.orig_h", "src_ip"]
rename => ["id.resp_h", "dst_ip"]
}
}
output {
elasticsearch {
hosts => "localhost"
index => "bro"
document_type => "Bro"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment