diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 81bc3f92e9b8..8adee27e54cb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -818,6 +818,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764] - Make `filestream` input GA. {pull}26127[26127] - Add new `parser` to `filestream` input: `container`. {pull}26115[26115] +- Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml index 76e5178572e3..c1bd282d72dc 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.capture_loss.ts formats: - UNIX + - ISO8601 - remove: field: zeek.capture_loss.ts - set: diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index 93245720a06e..0eb015e15485 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.connection.ts formats: - UNIX + - ISO8601 - remove: field: zeek.connection.ts - set: diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log b/x-pack/filebeat/module/zeek/connection/test/connection-json.log index 1275e552e3b7..467f28552c17 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log @@ -2,3 +2,4 @@ {"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} +{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 088aee7aedf4..ee6333827868 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -218,5 +218,60 @@ "zeek.connection.state": "OTH", "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", "zeek.session_id": "Cc6NJ3GRlfjE44I3h" + }, + { + "@timestamp": "2021-06-09T20:55:13.160Z", + "destination.address": "172.217.9.68", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.68", + "destination.packets": 0, + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.id": "C2KP1V3alRLoxl4JB9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 1488, + "network.bytes": 0, + "network.community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=", + "network.direction": "outbound", + "network.packets": 0, + "network.transport": "tcp", + "related.ip": [ + "10.0.2.15", + "172.217.9.68" + ], + "service.type": "zeek", + "source.address": "10.0.2.15", + "source.bytes": 0, + "source.ip": "10.0.2.15", + "source.packets": 0, + "source.port": 46408, + "tags": [ + "zeek.connection", + "local_orig" + ], + "zeek.connection.history": "C", + "zeek.connection.local_orig": true, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "OTH", + "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", + "zeek.session_id": "C2KP1V3alRLoxl4JB9" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index f0a837709dcf..cd3aa92da66b 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dce_rpc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dce_rpc.ts - append: diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49216c077c27..5bdf44d2c594 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dhcp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dhcp.ts - set: diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index e104312e1e13..071b22ff81bb 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dnp3.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dnp3.ts - set: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 6d9ed369ea89..58372aa2446f 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -12,6 +12,7 @@ processors: field: zeek.dns.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dns.ts diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index 32d1852c3e2c..9eeacd831679 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dpd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dpd.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml index 754720e92095..c7b1d33ec9a6 100644 --- a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.files.ts - script: diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index f1f7d0b4f522..52d08b15db92 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ftp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ftp.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a2c4a85b9941..b4cc3baf6e4d 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.http.ts formats: - UNIX + - ISO8601 - remove: field: zeek.http.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index f70094311318..1f193b4e22c3 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.intel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.intel.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index dd1e37a7035e..fb8c233bd256 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.irc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.irc.ts - append: diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index e0f45f715850..b9c61080aa57 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.kerberos.ts formats: - UNIX + - ISO8601 - remove: field: zeek.kerberos.ts - script: @@ -20,12 +21,14 @@ processors: target_field: zeek.kerberos.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.until != null - date: field: zeek.kerberos.valid.from target_field: zeek.kerberos.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.from != null - set: field: event.outcome diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d918b2de09a2..eadc215c31a1 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.modbus.ts formats: - UNIX + - ISO8601 - remove: field: zeek.modbus.ts - append: diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index d5552af6d29f..f0dcd1098c05 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.mysql.ts formats: - UNIX + - ISO8601 - remove: field: zeek.mysql.ts - append: diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c741d355361f..b80566d66c6a 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.notice.ts formats: - UNIX + - ISO8601 - remove: field: zeek.notice.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 690fd54a54ba..ce950e49bda2 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntlm.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntlm.ts - append: diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml index ed603292a3d3..a93599c91d00 100644 --- a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntp.ts # IP Geolocation Lookup @@ -85,21 +86,25 @@ processors: target_field: zeek.ntp.ref_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.org_time target_field: zeek.ntp.org_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.rec_time target_field: zeek.ntp.rec_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.xmt_time target_field: zeek.ntp.xmt_time formats: - UNIX + - ISO8601 - convert: ignore_missing: true field: zeek.ntp.version diff --git a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml index 462c1f366120..b4681a7637a6 100644 --- a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ocsp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ocsp.ts - date: @@ -17,18 +18,21 @@ processors: target_field: zeek.ocsp.revoke.date formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.revoke?.date != null - date: field: zeek.ocsp.update.this target_field: zeek.ocsp.update.this formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.this != null - date: field: zeek.ocsp.update.next target_field: zeek.ocsp.update.next formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.next != null - append: field: related.hash diff --git a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml index 6e1272a8ab2a..08c1b27c294c 100644 --- a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.pe.ts formats: - UNIX + - ISO8601 - remove: field: zeek.pe.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.pe.compile_time formats: - UNIX + - ISO8601 if: ctx.zeek.pe.compile_time != null on_failure: - set: diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index acc7fad2f030..1736ed47656e 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.radius.ts formats: - UNIX + - ISO8601 - remove: field: zeek.radius.ts - append: diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index bbe4abcee9fa..78aa132f9efa 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rdp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rdp.ts - convert: diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 2ce5fda4e16b..4a3b6621e7ed 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rfb.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rfb.ts - append: diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml index 539ea5d79121..5c35409d28dc 100644 --- a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.signature.ts formats: - UNIX + - ISO8601 - remove: field: zeek.signature.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 045d5afe760b..ddba53574cd8 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.sip.ts formats: - UNIX + - ISO8601 - remove: field: zeek.sip.ts - grok: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 0a853104351e..3034b1833307 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_cmd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_cmd.ts - remove: diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b1c0d3a69920..18ba31c60cb6 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_files.ts - dot_expander: @@ -29,6 +30,7 @@ processors: target_field: zeek.smb_files.times.accessed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.accessed @@ -39,6 +41,7 @@ processors: target_field: zeek.smb_files.times.changed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.ctime @@ -49,6 +52,7 @@ processors: target_field: zeek.smb_files.times.created formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.created @@ -59,6 +63,7 @@ processors: target_field: zeek.smb_files.times.modified formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.mtime diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index e116e1bfb600..15ed595d245b 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_mapping.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_mapping.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 03e2ffb6a250..5cf3b12cf247 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smtp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smtp.ts - date: diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index 1aefc539733d..7fd305fab5ab 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.snmp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.snmp.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.snmp.up_since formats: - UNIX + - ISO8601 if: ctx.zeek.snmp.up_since != null - geoip: field: destination.ip diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index e64c5ec9eb33..4f98ce007ab3 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.socks.ts formats: - UNIX + - ISO8601 - remove: field: zeek.socks.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 26980d26f3da..7e943ae513af 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ssh.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssh.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index 4a980be985a2..eb7a25ca0265 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.ssl.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssl.ts - date: @@ -19,12 +20,14 @@ processors: target_field: tls.server.not_before formats: - UNIX + - ISO8601 - date: if: ctx.tls?.server?.not_after != null field: tls.server.not_after target_field: tls.server.not_after formats: - UNIX + - ISO8601 - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml index 04e851e14a90..b86e9d65dba4 100644 --- a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.stats.ts formats: - UNIX + - ISO8601 - remove: field: zeek.stats.ts - set: diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 5f3432ec4888..4838fad72c52 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.syslog.ts formats: - UNIX + - ISO8601 - remove: field: zeek.syslog.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index f4744c540d71..da5f549f23ef 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.traceroute.ts formats: - UNIX + - ISO8601 - remove: field: zeek.traceroute.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 9ca83da33051..51c912764fbd 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.tunnel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.tunnel.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index d791eb77a09c..8ee448cda4de 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.weird.ts formats: - UNIX + - ISO8601 - remove: field: zeek.weird.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml index db9317cca6e7..ccca3995ad7b 100644 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.x509.ts formats: - UNIX + - ISO8601 - remove: field: zeek.x509.ts - set: @@ -129,6 +130,7 @@ processors: target_field: zeek.x509.certificate.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.from != null - set: field: file.x509.not_before @@ -139,6 +141,7 @@ processors: target_field: zeek.x509.certificate.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.until != null - set: field: file.x509.not_after