diff --git a/filters/privafy/privafy.conf b/filters/privafy/privafy.conf index a00e70568..1c5337923 100644 --- a/filters/privafy/privafy.conf +++ b/filters/privafy/privafy.conf @@ -1,6 +1,6 @@ filter { -# Privafy filter version 1.1.1 +# Privafy filter version 1.1.2 # Based on (User Doc) https://docs.progress.com/es-ES/bundle/loadmaster-technical-note-common-event-format-cef-logs-ga/page/Common-Event-Format-CEF-Logs.html (December, 2023) # and (User Doc) https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog-message-formats.html (December, 2023) # and example logs provided by user during POC @@ -132,15 +132,15 @@ filter { #Using grok to parse kv issued fields grok { match => { - "cef_msg" => [ - "command_line=%{DATA:command_line} %{WORD}=(%{GREEDYDATA:irrelevant})?" + "cef_or_leef_msg" => [ + "command_line=%{DATA:command_line}\s(\b([a-zA-Z0-9_]+)\b)=(%{GREEDYDATA:irrelevant})?" ] } } grok { match => { - "cef_msg" => [ + "cef_or_leef_msg" => [ "username=%{DATA:src_user} %{WORD}=(%{GREEDYDATA:irrelevant})?" ] } @@ -148,7 +148,7 @@ filter { grok { match => { - "cef_msg" => [ + "cef_or_leef_msg" => [ "activity=%{DATA:activity} %{WORD}=(%{GREEDYDATA:irrelevant})?" ] } @@ -156,7 +156,7 @@ filter { grok { match => { - "cef_msg" => [ + "cef_or_leef_msg" => [ "description=%{DATA:description} %{WORD}=(%{GREEDYDATA:irrelevant})?" ] } @@ -164,7 +164,7 @@ filter { grok { match => { - "cef_msg" => [ + "cef_or_leef_msg" => [ "parent_path=%{DATA:parent_path} %{WORD}=(%{GREEDYDATA:irrelevant})?" ] } @@ -172,7 +172,7 @@ filter { grok { match => { - "cef_msg" => [ + "cef_or_leef_msg" => [ "path=%{DATA:path} %{WORD}=(%{GREEDYDATA:irrelevant})?" ] } @@ -192,7 +192,7 @@ filter { rename => { "[format_version]" => "[kv_field][format_version]" } rename => { "[format_type]" => "[kv_field][format_type]" } rename => { "[end_msg]" => "[kv_field][end_msg]" } - rename => { "[message]" => "[kv_field][message]" } + rename => { "[prvf_message]" => "[kv_field][message]" } #Generating other fields rename => { "[kv_field][srcIP]" => "[kv_field][src_ip]" } @@ -279,6 +279,10 @@ if [kv_field][severity]{ event.get("[kv_field]").each do |k, v| if (v == "X0X") event.set("[logx][privafy][#{k}]",nil) + elsif k.start_with?("-") + event.remove(k) + elsif k =~ /\W(.*)?/ + event.remove(k) elsif !(v.kind_of?(Array)) new_v = v.to_s.gsub(/\"/, "") new_v = new_v.gsub(/\'/, "") @@ -293,7 +297,7 @@ if [kv_field][severity]{ #......................................................................# #Finally, remove unnecessary fields mutate { - remove_field => ["@version","path","tags","type","syslog_version","kv_field","prvf_message","[logx][syslog][message]", + remove_field => ["@version","path","tags","type","syslog_version","kv_field","prvf_message","[logx][syslog]", "not_defined","cef_or_leef_msg_all","cef_or_leef_msg","syslog_date_host","irrelevant","init_msg"] } } diff --git a/web-pdf/.gitignore b/web-pdf/.gitignore new file mode 100644 index 000000000..549e00a2a --- /dev/null +++ b/web-pdf/.gitignore @@ -0,0 +1,33 @@ +HELP.md +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/**/target/ +!**/src/test/**/target/ + +### STS ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ +!**/src/main/**/build/ +!**/src/test/**/build/ + +### VS Code ### +.vscode/