Skip to content

Commit

Permalink
Fix idaholab#126, suricata logs show up in Arkime as 'notip' for prot…
Browse files Browse the repository at this point in the history 
…ocol
  • Loading branch information
@mmguero
mmguero committed Nov 21, 2022
1 parent b20d0a3 commit 7be8ada
Showing 1 changed file with 11 additions and 9 deletions.
20 changes: 11 additions & 9 deletions logstash/pipelines/suricata/11_suricata_logs.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ filter {
rename => { "[suricata][dest_port]" => "[destination][port]" }
rename => { "[suricata][src_ip]" => "[source][ip]" }
rename => { "[suricata][src_port]" => "[source][port]" }
rename => { "[suricata][proto]" => "[ipProtocol]" }
rename => { "[suricata][proto]" => "[network][transport]" }
rename => { "[suricata][event_type]" => "[event][dataset]" }
rename => { "[suricata][vlan]" => "[network][vlan][id]" }
}
Expand All @@ -119,21 +119,23 @@ filter {
# network protocol stuff

# transport protocol (e.g., udp, tcp, etc.)
if ([ipProtocol]) {
if ([network][transport]) {
mutate { id => "mutate_lowercase_suricata_network_transport"
lowercase => [ "[network][transport]" ] }
translate {
id => "translate_suricata_proto"
source => "[ipProtocol]"
target => "[network][transport]"
dictionary_path => "/etc/ip_protocol_number_to_name.yaml"
source => "[network][transport]"
target => "[ipProtocol]"
dictionary_path => "/etc/ip_protocol_name_to_number.yaml"
}
mutate { id => "mutate_merge_suricata_proto"
merge => { "[protocol]" => "[network][transport]" } }
}
if ([ipProtocol]) {
# ECS - ipProtocol -> network.iana_number
mutate { id => "mutate_add_field_suricata_ecs_network_iana_number"
add_field => { "[network][iana_number]" => "%{[ipProtocol]}" } }
}
if ([network][transport]) {
mutate { id => "mutate_merge_suricata_proto"
merge => { "[protocol]" => "[network][transport]" } }
}

# network (application) protocol
if ([suricata][app_proto_orig]) {
Expand Down

0 comments on commit 7be8ada

Please sign in to comment.