for supporting JSON logs from Zeek (idaholab#65); almost certainly br…

…oken at this point
mmguero-dev · Feb 16, 2024 · bf232c6 · bf232c6
1 parent 58f74b2
commit bf232c6
Show file tree

Hide file tree

Showing 6 changed files with 2,919 additions and 3,194 deletions.
diff --git a/filebeat/scripts/filebeat-process-zeek-folder.sh b/filebeat/scripts/filebeat-process-zeek-folder.sh
@@ -18,8 +18,6 @@ LOCKDIR="/tmp/zeek-beats-process-folder"
 
 export SCRIPT_DIR="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
-export ZEEK_LOG_FIELD_BITMAP_SCRIPT="$SCRIPT_DIR/zeek-log-field-bitmap.py"
-
 export ZEEK_LOG_AUTO_TAG=${AUTO_TAG:-"true"}
 
 ZEEK_LOGS_DIR=${FILEBEAT_ZEEK_DIR:-/zeek/}
@@ -81,13 +79,8 @@ if mkdir $LOCKDIR; then
       do
         PROCESS_TIME=$(date +%s%N)
         TAGS_JOINED=$(printf "%s," "${TAGS[@]}")${PROCESS_TIME}
-        FIELDS_BITMAP="$($ZEEK_LOG_FIELD_BITMAP_SCRIPT "$LOGFILE" | head -n 1)"
         LINKNAME_BASE="$(basename "$LOGFILE" .log)"
-        if [[ -n $FIELDS_BITMAP ]]; then
-          LINKNAME="${LINKNAME_BASE}(${TAGS_JOINED},${FIELDS_BITMAP}).log"
-        else
-          LINKNAME="${LINKNAME_BASE}(${TAGS_JOINED}).log"
-        fi
+        LINKNAME="${LINKNAME_BASE}(${TAGS_JOINED}).log"
         touch "$LOGFILE"
         ln -sfr "$LOGFILE" "$LINKDIR/$LINKNAME"
       done

diff --git a/filebeat/scripts/zeek-log-field-bitmap.py b/filebeat/scripts/zeek-log-field-bitmap.py