fix renaming some json fields

cisagov · Mar 4, 2024 · 8bd8e44 · 8bd8e44
1 parent 23eff16
commit 8bd8e44
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -5815,7 +5815,17 @@ filter {
     # broker.log
     # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html
 
-    if ("_jsonparsesuccess" not in [tags]) {
+    if ("_jsonparsesuccess" in [tags]) {
+      mutate {
+        id => "mutate_rename_zeek_json_broker_fields"
+        rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" }
+        rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" }
+        rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" }
+        rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" }
+        rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" }
+      }
+
+    } else {
       dissect {
         id => "dissect_zeek_diagnostic_broker"
         # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
@@ -5877,7 +5887,13 @@ filter {
     # Logging for establishing and controlling a cluster of Zeek instances
     # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info
 
-    if ("_jsonparsesuccess" not in [tags]) {
+    if ("_jsonparsesuccess" in [tags]) {
+      mutate {
+        id => "mutate_rename_zeek_json_cluster_fields"
+        rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" }
+      }
+
+    } else {
       dissect {
         id => "dissect_zeek_diagnostic_cluster"
         # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP