From 5469c46c82da8472a22dce446a48ef2d1827c0db Mon Sep 17 00:00:00 2001
From: Lee Hinman <57081003+leehinman@users.noreply.github.com>
Date: Mon, 26 Oct 2020 12:21:07 -0500
Subject: [PATCH] Fix zeek connection pipeline (#22151)

- connection state for rejected is 'REJ'

Closes #22149
---
 CHANGELOG.next.asciidoc                                    | 1 +
 x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 9e79ccef1dd5..ae48f268977d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -287,6 +287,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix checkpoint module when logs contain time field. {pull}20567[20567]
 - Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382]
 - Fix syslog RFC 5424 parsing in the CheckPoint module. {pull}21854[21854]
+- Fix incorrect connection state mapping in zeek connection pipeline. {pull}22151[22151] {issue}22149[22149]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
index 9cd654edd516..c25c9cee6e5d 100644
--- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
@@ -115,7 +115,7 @@ processors:
           - connection
           - start
           - end
-      REG:
+      REJ:
         conn_str: "Connection attempt rejected."
         types:
           - connection