-
Notifications
You must be signed in to change notification settings - Fork 375
/
default.yml
147 lines (147 loc) · 4.55 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
description: Pipeline for parsing Infoblox NIOS logs.
processors:
- rename:
field: message
target_field: event.original
ignore_missing: true
- set:
field: ecs.version
value: '8.8.0'
- grok:
field: event.original
patterns:
- "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+%{NOTSPACE:host.domain}\\s+%{IP:host.ip}\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$"
- "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+(%{IP:host.ip}|%{NOTSPACE:host.domain})\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$"
- "^%{GREEDYDATA:message}$"
- rename:
field: _conf.tz_offset
target_field: event.timezone
if: ctx._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'
ignore_missing: true
ignore_failure: true
- date:
field: event.created
timezone: '{{{event.timezone}}}'
if: ctx.event?.timezone != null
target_field: event.created
formats:
- MMM d HH:mm:ss
- MMM dd HH:mm:ss
- MMM d HH:mm:ss
- dd-MMM-yyyy HH:mm:ss.SSS
on_failure:
- remove:
field: event.created
ignore_missing: true
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- date:
field: event.created
if: ctx.event?.timezone == null
target_field: event.created
formats:
- MMM d HH:mm:ss
- MMM dd HH:mm:ss
- MMM d HH:mm:ss
- dd-MMM-yyyy HH:mm:ss.SSS
on_failure:
- remove:
field: event.created
ignore_missing: true
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: infoblox_nios.log.type
value: 'DHCP'
if: ctx.infoblox_nios?.log?.service_name == 'dhcpd' || ctx.infoblox_nios?.log?.service_name == 'dhcpdv6'
- set:
field: infoblox_nios.log.type
value: 'DNS'
if: ctx.infoblox_nios?.log?.service_name == 'named'
- set:
field: infoblox_nios.log.type
value: 'AUDIT'
if: ctx.infoblox_nios?.log?.service_name == 'httpd'
- pipeline:
name: '{{ IngestPipeline "pipeline_audit" }}'
if: ctx.infoblox_nios?.log?.type == 'AUDIT'
- pipeline:
name: '{{ IngestPipeline "pipeline_dhcp" }}'
if: ctx.infoblox_nios?.log?.type == 'DHCP'
- pipeline:
name: '{{ IngestPipeline "pipeline_dns" }}'
if: ctx.infoblox_nios?.log?.type == 'DNS'
- set:
field: '@timestamp'
value: '{{{event.created}}}'
if: "ctx['@timestamp'] == null && ctx.event?.created != null"
- convert:
field: host.ip
if: ctx.host?.ip != null && ctx.host.ip != ''
type: ip
ignore_missing: true
on_failure:
- remove:
field: host.ip
ignore_missing: true
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- append:
field: related.ip
value: '{{{host.ip}}}'
if: ctx.host?.ip != null
allow_duplicates: false
ignore_failure: true
- append:
field: related.hosts
value: '{{{host.domain}}}'
if: ctx.host?.domain != null
allow_duplicates: false
ignore_failure: true
- append:
field: host.ip
value: '{{{host.ip}}}'
if: ctx.host?.ip != null
allow_duplicates: false
ignore_failure: true
- lowercase:
field: event.action
if: ctx.event?.action != null
ignore_failure: true
- script:
description: Drops null/empty values recursively.
lang: painless
source: |
boolean drop(Object o) {
if (o == null || o == '') {
return true;
} else if (o instanceof Map) {
((Map) o).values().removeIf(v -> drop(v));
return (((Map) o).size() == 0);
} else if (o instanceof List) {
((List) o).removeIf(v -> drop(v));
return (((List) o).length == 0);
}
return false;
}
drop(ctx);
- remove:
field: event.original
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
ignore_failure: true
ignore_missing: true
- remove:
field: _conf
ignore_failure: true
ignore_missing: true
on_failure:
- append:
field: error.message
value: '{{{_ingest.on_failure_message}}}'
- set:
field: event.kind
value: pipeline_error