Andrew Kroh andrewkroh

## symantec-endpoint-pipeline.json
{
  "description": "Pipeline for parsing Symantec Endpoint logs",
  "processors": [
    {
      "set": {
        "field": "event.original",
        "value": "{{{message}}}"
      }
    },
    {

## citrix-netscaler-pipeline.json
{
  "description": "Pipeline for parsing Citrix Netscaler logs",
  "processors": [
    {
      "script": {
        "description": "set event.original",
        "lang": "painless",
        "source": "def event = ctx.event;\nif (event == null) {\n    event = [:];\n    ctx['event'] = event;\n}\nevent['original'] = ctx.message;\n"
      }
    },

## instructions.md

      
              2 files
            
          
              0 forks
            
          
              2 comments
            
          
              1 star
            
          
                andrewkroh
                / instructions.md
            
            
              Last active
              March 6, 2023 19:09
            
              
                Adding event.ingested and lag calculations to Winlogbeat events
              
          
    Adding event.ingested and lag calculations to Winlogbeat events

Create an Ingest Pipeline that will add four fields:

event.ingested - Time when the event was processed by Elasticsearch.
event.lag.read - Time difference in milliseconds between @timestamp and event.created. This
measures how long it took for Winlogbeat read the event from the event log (for WEC this includes
the delivery time from forwarder to collector).
event.lag.ingest - Time difference in milliseconds between event.created and event.ingested.
This measures the time between Winlogbeat reading the event (time when it "created" the document)
to when it was written to Elasticsearch.


## functions
# -*-Shell-script-*-
#
# functions	This file contains functions to be used by most or all
#		shell scripts in the /etc/init.d directory.
#

TEXTDOMAIN=initscripts

# Make sure umask is sane
umask 022

## howto.txt
800, AntiVirus
801, AntiSpyware
802, Antimalware
803, Full
804, Delta
805, Full Scan
806, Quick Scan
807, Custom Scan
808, Remove
809, Quarantine

## vault.hcl
journalbeat.inputs:
  id: vault.service
  include_matches:
    - systemd.unit=vault.service
  processors:
    - add_fields:
        target: event
        fields:
          module: vault
          dataset: vault.log

## access.log
1348870236.160      0 192.168.0.35 TCP_DENIED/403 3293 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.273      0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.386      0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870236.499      0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
1348870237.550      0 192.168.0.35 TCP_DENIED/403 3269 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.4.6/misc/AcrobatUpd946_all_incr.msp - NONE/- text/html
1348870274.248  59875 192.168.0.35 TCP_MISS/503 0 CONNECT client84.dropbox.com:443 - DIRECT/- -
1348870284.249  59872 192.168.0.35 TCP_MISS/503 0 CONNECT client62.dropbox.com:443 - DIRECT/- -
1348870

## domain_rank_enrichment_pipeline.json
PUT /_ingest/pipeline/domain_rank_enrichment
{
  "description" : "Enriching domains with rank.",
  "processors" : [
    {
      "enrich" : {
        "policy_name": "dns-domain-top1m-rank",
        "field" : "dns.question.name",
        "target_field": "_temp"
      }

## msobjs.c
#include <windows.h>
#include <stdio.h>

int ProcessBlock(MESSAGE_RESOURCE_DATA* data, MESSAGE_RESOURCE_BLOCK* block)
{
    MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY*) ((unsigned char*)data + block->OffsetToEntries);
    for (DWORD id = block->LowId; id <= block->HighId; id++)
    {
        if (entry->Flags == 0x0001) // wide char
            printf("%d, %ls", id, entry->Text);

## filebeat-cisco-ios.js
var processor = require("processor");

var filebeatCisco = (function() {
    var parseCiscoHeader = new processor.Dissect({
        "tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
        "field": "log.original",
        "target_prefix": "",
    }).Run;

    var coerceDataTypes = new processor.Transform([
	{
	"description": "Pipeline for parsing Symantec Endpoint logs",
	"processors": [
	{
	"set": {
	"field": "event.original",
	"value": "{{{message}}}"
	}
	},
	{
	{
	"description": "Pipeline for parsing Citrix Netscaler logs",
	"processors": [
	{
	"script": {
	"description": "set event.original",
	"lang": "painless",
	"source": "def event = ctx.event;\nif (event == null) {\n event = [:];\n ctx['event'] = event;\n}\nevent['original'] = ctx.message;\n"
	}
	},
	# --Shell-script--
	#
	# functions This file contains functions to be used by most or all
	# shell scripts in the /etc/init.d directory.
	#

	TEXTDOMAIN=initscripts

	# Make sure umask is sane
	umask 022
	800, AntiVirus
	801, AntiSpyware
	802, Antimalware
	803, Full
	804, Delta
	805, Full Scan
	806, Quick Scan
	807, Custom Scan
	808, Remove
	809, Quarantine
	journalbeat.inputs:
	id: vault.service
	include_matches:
	- systemd.unit=vault.service
	processors:
	- add_fields:
	target: event
	fields:
	module: vault
	dataset: vault.log
	1348870236.160 0 192.168.0.35 TCP_DENIED/403 3293 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
	1348870236.273 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
	1348870236.386 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
	1348870236.499 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html
	1348870237.550 0 192.168.0.35 TCP_DENIED/403 3269 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.4.6/misc/AcrobatUpd946_all_incr.msp - NONE/- text/html
	1348870274.248 59875 192.168.0.35 TCP_MISS/503 0 CONNECT client84.dropbox.com:443 - DIRECT/- -
	1348870284.249 59872 192.168.0.35 TCP_MISS/503 0 CONNECT client62.dropbox.com:443 - DIRECT/- -
	1348870
	PUT /_ingest/pipeline/domain_rank_enrichment
	{
	"description" : "Enriching domains with rank.",
	"processors" : [
	{
	"enrich" : {
	"policy_name": "dns-domain-top1m-rank",
	"field" : "dns.question.name",
	"target_field": "_temp"
	}
	#include <windows.h>
	#include <stdio.h>

	int ProcessBlock(MESSAGE_RESOURCE_DATA* data, MESSAGE_RESOURCE_BLOCK* block)
	{
	MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY) ((unsigned char)data + block->OffsetToEntries);
	for (DWORD id = block->LowId; id <= block->HighId; id++)
	{
	if (entry->Flags == 0x0001) // wide char
	printf("%d, %ls", id, entry->Text);
	var processor = require("processor");

	var filebeatCisco = (function() {
	var parseCiscoHeader = new processor.Dissect({
	"tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
	"field": "log.original",
	"target_prefix": "",
	}).Run;

	var coerceDataTypes = new processor.Transform([