Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

securityonion-elastic: elasticsearch ingest pipelines need to support "ips" fields #1666

Closed
dougburks opened this issue Nov 26, 2019 · 4 comments
Closed
Assignees
Projects

Comments

@dougburks
Copy link
Contributor

@dougburks dougburks commented Nov 26, 2019

No description provided.

@dougburks dougburks added this to To do in 16.04.6.4 via automation Nov 26, 2019
@dougburks dougburks changed the title securityonion-elastic: elasticsearch ingest pipelines need to support "ips" field securityonion-elastic: elasticsearch ingest pipelines need to support "ips" fields Nov 26, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Nov 26, 2019

Add the following fields:
ips
source_ips
destination_ips

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 24, 2019

Here's the current logic in the traditional Logstash config:

    if [source_ip] {
      mutate {
        add_field => { "ips" => "%{source_ip}" }
        add_field => { "source_ips" => [ "%{source_ip}" ] }
      }
    }
  if [destination_ip] {
    mutate {
      add_field => { "ips" => "%{destination_ip}" }
      add_field => { "destination_ips" => [ "%{destination_ip}" ] }
    }
  }
dougburks added a commit to Security-Onion-Solutions/securityonion-elastic that referenced this issue Dec 26, 2019
@dougburks dougburks moved this from To do to In progress in 16.04.6.4 Dec 26, 2019
@dougburks dougburks self-assigned this Jan 3, 2020
@dougburks dougburks moved this from In progress to In Testing in 16.04.6.4 Jan 4, 2020
@defensivedepth

This comment has been minimized.

Copy link
Collaborator

@defensivedepth defensivedepth commented Jan 14, 2020

Looks good!

@defensivedepth defensivedepth moved this from In Testing to Tested in 16.04.6.4 Jan 14, 2020
@dougburks

This comment has been minimized.

@dougburks dougburks closed this Feb 5, 2020
16.04.6.4 automation moved this from Tested to Done Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.4
  
Done
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.