work on idaholab#19, assigning severity to certain types of events

docker-compose-standalone.yml

@@ -229,7 +229,7 @@ services:
       - 9600
     volumes:
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
-      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro
       - ./logstash/certs/server.crt:/certs/server.crt:ro

docker-compose.yml

@@ -242,7 +242,7 @@ services:
     volumes:
       - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
       - ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro
-      - ./logstash/maps/malcolm_severity.yaml:/etc/logstash/maps/malcolm_severity.yaml:ro
+      - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
       - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
       - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
       - ./logstash/certs/ca.crt:/certs/ca.crt:ro

logstash/pipelines/enrichment/19_severity.conf

@@ -206,7 +206,9 @@ filter {
   # in addition to insecure/outdated protocols, append PROTOCOL_XXX to the
   # severity_tags list, where XXX is the uppercased value of zeek.service,
   # so that if the user wants to add PROTOCOL_SSH or whatever to their mapping
-  # for a custom severity value it will just work
+  # for a custom severity value it will just work. if it's not in their
+  # mapping file, it'll return with a nil value and will be removed
+  # in ruby_calculate_final_severity_score
   if (!([zeek][logType] =~ /^known/)) {
     ruby {
       id => "ruby_add_field_severity_insecure_protocols"
@@ -287,8 +289,5 @@ filter {
       end"
   }
 
-
-
-
 } # filter