-
Notifications
You must be signed in to change notification settings - Fork 374
/
default.yml
247 lines (247 loc) · 7.18 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
---
description: Pipeline for parsing DHCP lease logs.
processors:
- set:
field: ecs.version
value: '8.8.0'
- set:
field: event.kind
value: event
- set:
field: event.category
value: [network]
- set:
field: event.type
value: [protocol]
- rename:
field: message
target_field: event.original
ignore_missing: true
- json:
field: event.original
target_field: json
- fingerprint:
fields:
- json.starts
- json.last_updated
- json.ends
target_field: _id
ignore_missing: true
- convert:
field: json.address
target_field: infoblox_bloxone_ddi.dhcp_lease.address
if: ctx.json?.address != ''
type: ip
ignore_missing: true
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- append:
field: related.ip
value: '{{{infoblox_bloxone_ddi.dhcp_lease.address}}}'
allow_duplicates: false
ignore_failure: true
- rename:
field: json.client_id
target_field: infoblox_bloxone_ddi.dhcp_lease.client_id
ignore_missing: true
- set:
field: client.user.id
copy_from: infoblox_bloxone_ddi.dhcp_lease.client_id
ignore_failure: true
- date:
field: json.ends
target_field: infoblox_bloxone_ddi.dhcp_lease.ends
if: ctx.json?.ends != null && ctx.json.ends != ''
formats:
- ISO8601
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: event.end
copy_from: infoblox_bloxone_ddi.dhcp_lease.ends
ignore_failure: true
- rename:
field: json.fingerprint
target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.value
ignore_missing: true
- rename:
field: json.fingerprint_processed
target_field: infoblox_bloxone_ddi.dhcp_lease.fingerprint.processed
ignore_missing: true
- rename:
field: json.ha_group
target_field: infoblox_bloxone_ddi.dhcp_lease.ha_group
ignore_missing: true
- gsub:
field: json.hardware
pattern: '[:.]'
replacement: '-'
ignore_missing: true
- uppercase:
field: json.hardware
ignore_missing: true
- rename:
field: json.hardware
target_field: infoblox_bloxone_ddi.dhcp_lease.hardware
ignore_missing: true
- rename:
field: json.host
target_field: infoblox_bloxone_ddi.dhcp_lease.host
ignore_missing: true
- set:
field: host.name
copy_from: infoblox_bloxone_ddi.dhcp_lease.host
ignore_failure: true
- append:
field: related.hosts
value: '{{{host.name}}}'
if: ctx.host?.name != null
allow_duplicates: false
ignore_failure: true
- rename:
field: json.hostname
target_field: infoblox_bloxone_ddi.dhcp_lease.hostname
ignore_missing: true
- set:
field: host.hostname
copy_from: infoblox_bloxone_ddi.dhcp_lease.hostname
ignore_failure: true
- append:
field: related.hosts
value: '{{{host.hostname}}}'
if: ctx.host?.hostname != null
allow_duplicates: false
ignore_failure: true
- convert:
field: json.iaid
target_field: infoblox_bloxone_ddi.dhcp_lease.iaid
if: ctx.json?.iaid != ''
type: long
ignore_missing: true
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- date:
field: json.last_updated
target_field: infoblox_bloxone_ddi.dhcp_lease.last_updated
if: ctx.json?.last_updated != null && ctx.json.last_updated != ''
formats:
- ISO8601
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: '@timestamp'
copy_from: infoblox_bloxone_ddi.dhcp_lease.last_updated
ignore_failure: true
- rename:
field: json.options
target_field: infoblox_bloxone_ddi.dhcp_lease.options
ignore_missing: true
- date:
field: json.preferred_lifetime
target_field: infoblox_bloxone_ddi.dhcp_lease.preferred_lifetime
if: ctx.json?.preferred_lifetime != null && ctx.json.preferred_lifetime != ''
formats:
- ISO8601
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: json.protocol
value: ipv4
if: ctx.json?.protocol == 'ip4'
ignore_failure: true
- set:
field: json.protocol
value: ipv6
if: ctx.json?.protocol == 'ip6'
ignore_failure: true
- rename:
field: json.protocol
target_field: infoblox_bloxone_ddi.dhcp_lease.protocol
ignore_missing: true
- set:
field: network.type
copy_from: infoblox_bloxone_ddi.dhcp_lease.protocol
ignore_failure: true
- lowercase:
field: network.type
ignore_failure: true
- rename:
field: json.space
target_field: infoblox_bloxone_ddi.dhcp_lease.space
ignore_missing: true
- date:
field: json.starts
target_field: infoblox_bloxone_ddi.dhcp_lease.starts
if: ctx.json?.starts != null && ctx.json.starts != ''
formats:
- ISO8601
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: event.start
copy_from: infoblox_bloxone_ddi.dhcp_lease.starts
ignore_failure: true
- rename:
field: json.state
target_field: infoblox_bloxone_ddi.dhcp_lease.state
ignore_missing: true
- rename:
field: json.type
target_field: infoblox_bloxone_ddi.dhcp_lease.type
ignore_missing: true
- remove:
field: json
ignore_missing: true
- remove:
field:
- infoblox_bloxone_ddi.dhcp_lease.last_updated
- infoblox_bloxone_ddi.dhcp_lease.client_id
- infoblox_bloxone_ddi.dhcp_lease.ends
- infoblox_bloxone_ddi.dhcp_lease.starts
- infoblox_bloxone_ddi.dhcp_lease.hostname
- infoblox_bloxone_ddi.dhcp_lease.host
- infoblox_bloxone_ddi.dhcp_lease.protocol
if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
ignore_failure: true
ignore_missing: true
- remove:
field: event.original
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
ignore_failure: true
ignore_missing: true
- script:
description: Drops null/empty values recursively.
lang: painless
source:
boolean dropEmptyFields(Object object) {
if (object == null || object == '') {
return true;
} else if (object instanceof Map) {
((Map) object).values().removeIf(value -> dropEmptyFields(value));
return (((Map) object).size() == 0);
} else if (object instanceof List) {
((List) object).removeIf(value -> dropEmptyFields(value));
return (((List) object).length == 0);
}
return false;
}
dropEmptyFields(ctx);
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: '{{{ _ingest.on_failure_message }}}'