fix renaming some json fields

cisagov · Mar 4, 2024 · ba26fa6 · ba26fa6
1 parent 8bd8e44
commit ba26fa6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/dashboards/templates/composable/component/zeek_diagnostic.json b/dashboards/templates/composable/component/zeek_diagnostic.json
@@ -26,11 +26,9 @@
             "packet_filter.success": { "type": "keyword" },
             "packet_filter.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
             "print.vals": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
-            "reporter.node": { "type": "keyword" },
-            "reporter.filter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
-            "reporter.init": { "type": "keyword" },
-            "reporter.success": { "type": "keyword" },
-            "reporter.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
+            "reporter.level": { "type": "keyword" },
+            "reporter.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
+            "reporter.location": { "type": "keyword" },
             "stats.peer": { "type": "keyword" },
             "stats.mem": { "type": "long" },
             "stats.pkts_proc": { "type": "long" },

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -6017,7 +6017,13 @@ filter {
     # reporter.log
     # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info
 
-    if ("_jsonparsesuccess" not in [tags]) {
+    if ("_jsonparsesuccess" in [tags]) {
+      mutate {
+        id => "mutate_rename_zeek_json_reporter_fields"
+        rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" }
+      }
+
+    } else {
       dissect {
         id => "dissect_zeek_diagnostic_reporter"
         # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
@@ -6033,7 +6039,7 @@ filter {
         }
         ruby {
           id => "ruby_zip_zeek_diagnostic_reporter"
-          init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]"
+          init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]"
           code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)"
         }
       }