rename type to evnt_type and add beats listener

dougburks · Dec 10, 2017 · 4a1ae52 · 4a1ae52
1 parent d4ed5c6
commit 4a1ae52
Show file tree

Hide file tree

Showing 61 changed files with 145 additions and 127 deletions.
diff --git a/configfiles/0006_input_beats.conf b/configfiles/0006_input_beats.conf
@@ -0,0 +1,10 @@
+# Author: Justin Henderson
+# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
+# Email: justin@hasecuritysolutions.com
+# Last Update: 11/15/2017
+
+input {
+  beats {
+    port => "5044"
+  }
+}
diff --git a/configfiles/0006_input_import.conf → configfiles/0007_input_import.conf b/configfiles/0006_input_import.conf → configfiles/0007_input_import.conf
diff --git a/configfiles/8999_postprocess_rename_type.conf b/configfiles/8999_postprocess_rename_type.conf
@@ -0,0 +1,8 @@
+# Author: Doug Burks
+# Last Update: 12/10/2017
+
+filter {
+    mutate {
+	  rename => [ "type", "event_type" ]
+	}
+}
diff --git a/configfiles/9004_output_flow.conf b/configfiles/9004_output_flow.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "sflow" and "test_data" not in [tags] {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9004"]
 	}
   }
 }
 output {
-  if [type] == "sflow" and "test_data" not in [tags] {
+  if [event_type] == "sflow" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9026_output_dhcp.conf b/configfiles/9026_output_dhcp.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "dhcp" and "test_data" not in [tags] {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9026"]
 	}
   }
 }
 output {
-  if [type] == "dhcp" and "test_data" not in [tags] {
+  if [event_type] == "dhcp" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9029_output_esxi.conf b/configfiles/9029_output_esxi.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "esxi" and "test_data" not in [tags] {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9029"]
 	}
   }
 }
 output {
-  if [type] == "esxi" and "test_data" not in [tags] {
+  if [event_type] == "esxi" and "test_data" not in [tags] {
     elasticsearch {
       hosts => elasticsearch
       template => "/logstash-template.json"

diff --git a/configfiles/9030_output_greensql.conf b/configfiles/9030_output_greensql.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "greensql" and "test_data" not in [tags] {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9030"]
 	}
   }
 }
 output {
-  if [type] == "greensql" and "test_data" not in [tags] {
+  if [event_type] == "greensql" and "test_data" not in [tags] {
     elasticsearch {
       hosts => elasticsearch
       template => "/logstash-template.json"

diff --git a/configfiles/9031_output_iis.conf b/configfiles/9031_output_iis.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "iis" and "test_data" not in [tags] {
+  if [event_type] == "iis" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9031"]
 	}
   }
 }
 output {
-  if [type] == "iis" and "test_data" not in [tags] {
+  if [event_type] == "iis" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9032_output_mcafee.conf b/configfiles/9032_output_mcafee.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "mcafee" and "test_data" not in [tags] {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9032"]
 	}
   }
 }
 output {
-  if [type] == "mcafee" and "test_data" not in [tags] {
+  if [event_type] == "mcafee" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9033_output_snort.conf b/configfiles/9033_output_snort.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "snort" and "test_data" not in [tags] {
+  if [event_type] == "snort" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9033"]
 	}
   }
 }
 output {
-    if [type] == "snort" and "test_data" not in [tags] {
+    if [event_type] == "snort" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9300_output_windows.conf b/configfiles/9300_output_windows.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "windows" and "test_data" not in [tags] {
+  if [event_type] == "windows" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9300"]
 	}
   }
 }
 output {
-  if [type] == "windows" and "test_data" not in [tags] {
+  if [event_type] == "windows" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9301_output_dns_windows.conf b/configfiles/9301_output_dns_windows.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "dns" and "test_data" not in [tags] {
+  if [event_type] == "dns" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9301"]
 	}
   }
 }
 output {
-  if [type] == "dns" and "test_data" not in [tags] {
+  if [event_type] == "dns" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/configfiles/9400_output_suricata.conf b/configfiles/9400_output_suricata.conf
@@ -4,14 +4,14 @@
 # Last Update: 12/9/2016
 
 filter {
-  if [type] == "suricata" and "test_data" not in [tags] {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
     mutate {
 	  ##add_tag => [ "conf_file_9400"]
 	}
   }
 }
 output {
-  if [type] == "suricata" and "test_data" not in [tags] {
+  if [event_type] == "suricata" and "test_data" not in [tags] {
     #stdout { codec => rubydebug }
     elasticsearch {
       hosts => elasticsearch

diff --git a/kibana/dashboards/01600fb0-34e4-11e7-9669-7f1d3242b798.json b/kibana/dashboards/01600fb0-34e4-11e7-9669-7f1d3242b798.json
@@ -77,7 +77,7 @@
         "title": "Notices - Logs",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type:bro_notice\",\"analyze_wildcard\":true}}}"
+          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_notice\",\"analyze_wildcard\":true}}}"
         },
         "columns": [
           "source_ip",
@@ -280,7 +280,7 @@
       "type": "visualization",
       "version": 2,
       "attributes": {
-        "visState": "{\"title\":\"Notices - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"metric\",\"series\":[{\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"#68BC00\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\",\"field\":null}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_size\":\"1000\",\"terms_order_by\":null,\"filter\":\"type:bro_notice\",\"label\":\"Notices  - Log Count\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"background_color_rules\":[{\"value\":0,\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"rgba(251,158,0,1)\",\"opperator\":\"gte\"}],\"drop_last_bucket\":0,\"filter\":\"\"},\"aggs\":[],\"listeners\":{}}",
+        "visState": "{\"title\":\"Notices - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"metric\",\"series\":[{\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"#68BC00\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\",\"field\":null}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_size\":\"1000\",\"terms_order_by\":null,\"filter\":\"event_type:bro_notice\",\"label\":\"Notices  - Log Count\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"background_color_rules\":[{\"value\":0,\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"rgba(251,158,0,1)\",\"opperator\":\"gte\"}],\"drop_last_bucket\":0,\"filter\":\"\"},\"aggs\":[],\"listeners\":{}}",
         "description": "",
         "title": "Notices - Log Count (Builder)",
         "uiStateJSON": "{}",

diff --git a/kibana/dashboards/022713e0-3ab0-11e7-a83b-b1b4da7d15f4.json b/kibana/dashboards/022713e0-3ab0-11e7-a83b-b1b4da7d15f4.json
@@ -56,7 +56,7 @@
         "title": "NTLM - Logs",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type:bro_ntlm\",\"analyze_wildcard\":true}}}"
+          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}}}"
         },
         "columns": [
           "source_ip",
@@ -258,7 +258,7 @@
       "type": "visualization",
       "version": 1,
       "attributes": {
-        "visState": "{\"title\":\"NTLM - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"type:bro_ntlm\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"NTLM - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
+        "visState": "{\"title\":\"NTLM - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"event_type:bro_ntlm\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"NTLM - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
         "description": "",
         "title": "NTLM - Log Count (Builder)",
         "uiStateJSON": "{}",

diff --git a/kibana/dashboards/0de7a390-3644-11e7-a6f7-4f44d7bf1c33.json b/kibana/dashboards/0de7a390-3644-11e7-a6f7-4f44d7bf1c33.json
@@ -161,7 +161,7 @@
         "title": "OSSEC - Alerts",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"*:logstash-*\",\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"type:ossec\",\"analyze_wildcard\":true}}}"
+          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"*:logstash-*\",\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}}}"
         },
         "columns": [
           "alert_level",
@@ -189,7 +189,7 @@
       "type": "visualization",
       "version": 2,
       "attributes": {
-        "visState": "{\"title\":\"OSSEC Alerts - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"metric\",\"series\":[{\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"#68BC00\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\",\"field\":null}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_size\":\"1000\",\"terms_order_by\":null,\"filter\":\"type:ossec && tags:alert\",\"label\":\"OSSEC Alerts - Log Count\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"background_color_rules\":[{\"value\":0,\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"rgba(251,158,0,1)\",\"opperator\":\"gte\"}],\"drop_last_bucket\":0,\"filter\":\"\"},\"aggs\":[],\"listeners\":{}}",
+        "visState": "{\"title\":\"OSSEC Alerts - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"metric\",\"series\":[{\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"#68BC00\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\",\"field\":null}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_size\":\"1000\",\"terms_order_by\":null,\"filter\":\"event_type:ossec && tags:alert\",\"label\":\"OSSEC Alerts - Log Count\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"background_color_rules\":[{\"value\":0,\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"color\":\"rgba(251,158,0,1)\",\"opperator\":\"gte\"}],\"drop_last_bucket\":0,\"filter\":\"\"},\"aggs\":[],\"listeners\":{}}",
         "description": "",
         "title": "OSSEC Alerts - Log Count (Builder)",
         "uiStateJSON": "{}",

diff --git a/kibana/dashboards/230134a0-34c6-11e7-8360-0b86c90983fd.json b/kibana/dashboards/230134a0-34c6-11e7-8360-0b86c90983fd.json
@@ -139,7 +139,7 @@
         "title": "HTTP - Logs",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\n  \"index\": \"*:logstash-*\",\n  \"highlightAll\": true,\n  \"version\": true,\n  \"filter\": [],\n  \"query\": {\n    \"query_string\": {\n      \"query\": \"type:bro_http\",\n      \"analyze_wildcard\": true\n    }\n  }\n}"
+          "searchSourceJSON": "{\n  \"index\": \"*:logstash-*\",\n  \"highlightAll\": true,\n  \"version\": true,\n  \"filter\": [],\n  \"query\": {\n    \"query_string\": {\n      \"query\": \"event_type:bro_http\",\n      \"analyze_wildcard\": true\n    }\n  }\n}"
         },
         "columns": [
           "source_ip",
@@ -362,7 +362,7 @@
       "type": "visualization",
       "version": 1,
       "attributes": {
-        "visState": "{\"title\":\"HTTP - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"type:bro_http\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"HTTP - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
+        "visState": "{\"title\":\"HTTP - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"event_type:bro_http\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"HTTP - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
         "description": "",
         "title": "HTTP - Log Count (Builder)",
         "uiStateJSON": "{}",

diff --git a/kibana/dashboards/27f3b380-3583-11e7-a588-05992195c551.json b/kibana/dashboards/27f3b380-3583-11e7-a588-05992195c551.json
@@ -203,7 +203,7 @@
         "title": "FTP - Logs",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"type:bro_ftp\",\"analyze_wildcard\":true}}}"
+          "searchSourceJSON": "{\"index\":\"*:logstash-*\",\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}}}"
         },
         "columns": [
           "source_ip",
@@ -258,7 +258,7 @@
       "type": "visualization",
       "version": 1,
       "attributes": {
-        "visState": "{\"title\":\"FTP - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"type:bro_ftp\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"FTP - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
+        "visState": "{\"title\":\"FTP - Log Count (Builder)\",\"type\":\"metrics\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"color\":\"rgba(251,158,0,1)\",\"id\":\"631c5cc0-c578-11e7-89f7-f9b51b5d4b2f\",\"opperator\":\"gte\",\"value\":0}],\"drop_last_bucket\":0,\"filter\":\"\",\"id\":\"613db1b0-c578-11e7-89f7-f9b51b5d4b2f\",\"index_pattern\":\"*:logstash-*\",\"interval\":\"1y\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":\"event_type:bro_ftp\",\"formatter\":\"number\",\"id\":\"613db1b1-c578-11e7-89f7-f9b51b5d4b2f\",\"label\":\"FTP - Log Count\",\"line_width\":1,\"metrics\":[{\"field\":null,\"id\":\"613db1b2-c578-11e7-89f7-f9b51b5d4b2f\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_mode\":\"filter\",\"stacked\":\"none\",\"terms_field\":\"sensor_name.keyword\",\"terms_order_by\":null,\"terms_size\":\"1000\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"metric\"},\"aggs\":[],\"listeners\":{}}",
         "description": "",
         "title": "FTP - Log Count (Builder)",
         "uiStateJSON": "{}",