minor fixes for zeek v6.2.0 ldap logs

mmguero-dev · Mar 15, 2024 · 34d31d7 · 34d31d7
1 parent 9aed3b1
commit 34d31d7
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 52 deletions.
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -1937,12 +1937,6 @@ filter {
           code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)"
         }
       }
-      mutate { id => "mutate_split_zeek_ldap_commas"
-               split => { "[zeek_cols][operation]" => ","
-                          "[zeek_cols][result_code]" => ","
-                          "[zeek_cols][result_message]" => ","
-                          "[zeek_cols][object]" => ","
-                          "[zeek_cols][argument]" => "," } }
     }
 
     mutate {
@@ -1990,13 +1984,6 @@ filter {
           code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)"
         }
       }
-      mutate { id => "mutate_split_zeek_ldap_search_commas"
-               split => { "[zeek_cols][scope]" => ","
-                          "[zeek_cols][deref]" => ","
-                          "[zeek_cols][attributes]" => ","
-                          "[zeek_cols][base_object]" => ","
-                          "[zeek_cols][result_code]" => ","
-                          "[zeek_cols][result_message]" => "," } }
     }
 
     mutate {

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -863,27 +863,6 @@ filter {
     #############################################################################################################################
     # ldap.log specific logic
 
-    if ([zeek][ldap][object]) or ([zeek][ldap][argument]) {
-      ruby {
-        id => "ruby_zeek_ldap_object_and_arguments_adjustment"
-        code => "
-          if (objects = event.get('[zeek][ldap][object]')) and (objects.length > 0) then
-            objectsAdj = Array.new
-            objects.each do |val|
-              objectsAdj.push(val.gsub('\\x2c', ','))
-            end
-            event.set('[zeek][ldap][object]', objectsAdj)
-          end
-          if (arguments = event.get('[zeek][ldap][argument]')) and (arguments.length > 0) then
-            argsAdj = Array.new
-            arguments.each do |val|
-              argsAdj.push(val.gsub('\\x2c', ','))
-            end
-            event.set('[zeek][ldap][argument]', argsAdj)
-          end"
-      }
-    }
-
     # map simple bind "object" and "argument" to username and password
     # and map to Arkime types
     if ("bind simple" in [zeek][ldap][operation]) {
@@ -908,24 +887,6 @@ filter {
                merge => { "[ldap][authtype]" => "[@metadata][ldapAuthType]" } }
     }
 
-  } else if ([log_source] == "ldap_search") {
-    #############################################################################################################################
-    # ldap_search.log specific logic
-
-    if ([zeek][ldap_search][base_object]) {
-      ruby {
-        id => "ruby_zeek_ldap_search_base_object_adjustment"
-        code => "
-          if (objects = event.get('[zeek][ldap_search][base_object]')) and (objects.length > 0) then
-            objectsAdj = Array.new
-            objects.each do |val|
-              objectsAdj.push(val.gsub('\\x2c', ','))
-            end
-            event.set('[zeek][ldap_search][base_object]', objectsAdj)
-          end"
-      }
-    }
-
   } else if ([log_source] == "modbus") {
     #############################################################################################################################
     # modbus.log specific logic