From 3241edc006c60448648147a1d205ae2e5bdbc65e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 5 May 2021 18:21:15 +0000 Subject: [PATCH 1/4] Add ISO8601 as supported timestamp type --- x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/files/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/http/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml | 3 +++ x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml | 5 +++++ x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml | 4 ++++ x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml | 2 ++ x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml | 5 +++++ x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml | 2 ++ x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml | 3 +++ x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml | 1 + x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml | 3 +++ 39 files changed, 58 insertions(+) diff --git a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml index 76e5178572e3..c1bd282d72dc 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.capture_loss.ts formats: - UNIX + - ISO8601 - remove: field: zeek.capture_loss.ts - set: diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index 93245720a06e..0eb015e15485 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.connection.ts formats: - UNIX + - ISO8601 - remove: field: zeek.connection.ts - set: diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index f0a837709dcf..cd3aa92da66b 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dce_rpc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dce_rpc.ts - append: diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49216c077c27..5bdf44d2c594 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dhcp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dhcp.ts - set: diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index e104312e1e13..071b22ff81bb 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dnp3.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dnp3.ts - set: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 6d9ed369ea89..58372aa2446f 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -12,6 +12,7 @@ processors: field: zeek.dns.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dns.ts diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index 32d1852c3e2c..9eeacd831679 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dpd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dpd.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml index 754720e92095..c7b1d33ec9a6 100644 --- a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.files.ts - script: diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index f1f7d0b4f522..52d08b15db92 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ftp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ftp.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a2c4a85b9941..b4cc3baf6e4d 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.http.ts formats: - UNIX + - ISO8601 - remove: field: zeek.http.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index f70094311318..1f193b4e22c3 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.intel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.intel.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index dd1e37a7035e..fb8c233bd256 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.irc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.irc.ts - append: diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index e0f45f715850..b9c61080aa57 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.kerberos.ts formats: - UNIX + - ISO8601 - remove: field: zeek.kerberos.ts - script: @@ -20,12 +21,14 @@ processors: target_field: zeek.kerberos.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.until != null - date: field: zeek.kerberos.valid.from target_field: zeek.kerberos.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.from != null - set: field: event.outcome diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d918b2de09a2..eadc215c31a1 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.modbus.ts formats: - UNIX + - ISO8601 - remove: field: zeek.modbus.ts - append: diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index d5552af6d29f..f0dcd1098c05 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.mysql.ts formats: - UNIX + - ISO8601 - remove: field: zeek.mysql.ts - append: diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c741d355361f..b80566d66c6a 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.notice.ts formats: - UNIX + - ISO8601 - remove: field: zeek.notice.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 690fd54a54ba..ce950e49bda2 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntlm.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntlm.ts - append: diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml index ed603292a3d3..a93599c91d00 100644 --- a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntp.ts # IP Geolocation Lookup @@ -85,21 +86,25 @@ processors: target_field: zeek.ntp.ref_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.org_time target_field: zeek.ntp.org_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.rec_time target_field: zeek.ntp.rec_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.xmt_time target_field: zeek.ntp.xmt_time formats: - UNIX + - ISO8601 - convert: ignore_missing: true field: zeek.ntp.version diff --git a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml index 462c1f366120..b4681a7637a6 100644 --- a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ocsp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ocsp.ts - date: @@ -17,18 +18,21 @@ processors: target_field: zeek.ocsp.revoke.date formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.revoke?.date != null - date: field: zeek.ocsp.update.this target_field: zeek.ocsp.update.this formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.this != null - date: field: zeek.ocsp.update.next target_field: zeek.ocsp.update.next formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.next != null - append: field: related.hash diff --git a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml index 6e1272a8ab2a..08c1b27c294c 100644 --- a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.pe.ts formats: - UNIX + - ISO8601 - remove: field: zeek.pe.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.pe.compile_time formats: - UNIX + - ISO8601 if: ctx.zeek.pe.compile_time != null on_failure: - set: diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index acc7fad2f030..1736ed47656e 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.radius.ts formats: - UNIX + - ISO8601 - remove: field: zeek.radius.ts - append: diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index bbe4abcee9fa..78aa132f9efa 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rdp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rdp.ts - convert: diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 2ce5fda4e16b..4a3b6621e7ed 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rfb.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rfb.ts - append: diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml index 539ea5d79121..5c35409d28dc 100644 --- a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.signature.ts formats: - UNIX + - ISO8601 - remove: field: zeek.signature.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 045d5afe760b..ddba53574cd8 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.sip.ts formats: - UNIX + - ISO8601 - remove: field: zeek.sip.ts - grok: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 0a853104351e..3034b1833307 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_cmd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_cmd.ts - remove: diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b1c0d3a69920..18ba31c60cb6 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_files.ts - dot_expander: @@ -29,6 +30,7 @@ processors: target_field: zeek.smb_files.times.accessed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.accessed @@ -39,6 +41,7 @@ processors: target_field: zeek.smb_files.times.changed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.ctime @@ -49,6 +52,7 @@ processors: target_field: zeek.smb_files.times.created formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.created @@ -59,6 +63,7 @@ processors: target_field: zeek.smb_files.times.modified formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.mtime diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index e116e1bfb600..15ed595d245b 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_mapping.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_mapping.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 03e2ffb6a250..5cf3b12cf247 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smtp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smtp.ts - date: diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index 1aefc539733d..7fd305fab5ab 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.snmp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.snmp.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.snmp.up_since formats: - UNIX + - ISO8601 if: ctx.zeek.snmp.up_since != null - geoip: field: destination.ip diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index e64c5ec9eb33..4f98ce007ab3 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.socks.ts formats: - UNIX + - ISO8601 - remove: field: zeek.socks.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 26980d26f3da..7e943ae513af 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ssh.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssh.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index 4a980be985a2..eb7a25ca0265 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.ssl.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssl.ts - date: @@ -19,12 +20,14 @@ processors: target_field: tls.server.not_before formats: - UNIX + - ISO8601 - date: if: ctx.tls?.server?.not_after != null field: tls.server.not_after target_field: tls.server.not_after formats: - UNIX + - ISO8601 - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml index 04e851e14a90..b86e9d65dba4 100644 --- a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.stats.ts formats: - UNIX + - ISO8601 - remove: field: zeek.stats.ts - set: diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 5f3432ec4888..4838fad72c52 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.syslog.ts formats: - UNIX + - ISO8601 - remove: field: zeek.syslog.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index f4744c540d71..da5f549f23ef 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.traceroute.ts formats: - UNIX + - ISO8601 - remove: field: zeek.traceroute.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 9ca83da33051..51c912764fbd 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.tunnel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.tunnel.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index d791eb77a09c..8ee448cda4de 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.weird.ts formats: - UNIX + - ISO8601 - remove: field: zeek.weird.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml index db9317cca6e7..ccca3995ad7b 100644 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.x509.ts formats: - UNIX + - ISO8601 - remove: field: zeek.x509.ts - set: @@ -129,6 +130,7 @@ processors: target_field: zeek.x509.certificate.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.from != null - set: field: file.x509.not_before @@ -139,6 +141,7 @@ processors: target_field: zeek.x509.certificate.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.until != null - set: field: file.x509.not_after From 757469db2e13a9ee2bdc82855377883b552dbff5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 5 May 2021 18:41:26 +0000 Subject: [PATCH 2/4] Update changelog for Zeek ts format --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 81bc3f92e9b8..e309fd0cf132 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] * Zeek {pull}19113[19113] (`forwarded` tag is not included by default) +* Zeek {pull}25564[25564] (Add option for logs with ISO8601 timestamp) * Suricata {pull}19107[19107] (`forwarded` tag is not included by default) * CoreDNS {pull}19134[19134] (`forwarded` tag is not included by default) * Envoy Proxy {pull}19134[19134] (`forwarded` tag is not included by default) From d30ee4a6ef5ba3aff3e5c9a0d2832432d3430796 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 9 Jun 2021 16:19:56 -0500 Subject: [PATCH 3/4] fix up changelog and add ISO8601 test case --- CHANGELOG.next.asciidoc | 14 ++++- .../zeek/connection/test/connection-json.log | 1 + .../test/connection-json.log-expected.json | 55 +++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e309fd0cf132..102c8483e8b8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -72,7 +72,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] * Zeek {pull}19113[19113] (`forwarded` tag is not included by default) -* Zeek {pull}25564[25564] (Add option for logs with ISO8601 timestamp) * Suricata {pull}19107[19107] (`forwarded` tag is not included by default) * CoreDNS {pull}19134[19134] (`forwarded` tag is not included by default) * Envoy Proxy {pull}19134[19134] (`forwarded` tag is not included by default) @@ -819,6 +818,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764] - Make `filestream` input GA. {pull}26127[26127] - Add new `parser` to `filestream` input: `container`. {pull}26115[26115] +- Support X-Forwarder-For in IIS logs. {pull}19142[192142] +- Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607] +- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744] +- Added NTP fileset to Zeek module {pull}24224[24224] +- Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662] +- Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636] +- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994] +- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041] +- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803] +- Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699] +- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128] +- Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482] +- Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log b/x-pack/filebeat/module/zeek/connection/test/connection-json.log index 1275e552e3b7..467f28552c17 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log @@ -2,3 +2,4 @@ {"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} +{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 088aee7aedf4..ee6333827868 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -218,5 +218,60 @@ "zeek.connection.state": "OTH", "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", "zeek.session_id": "Cc6NJ3GRlfjE44I3h" + }, + { + "@timestamp": "2021-06-09T20:55:13.160Z", + "destination.address": "172.217.9.68", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.68", + "destination.packets": 0, + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.id": "C2KP1V3alRLoxl4JB9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 1488, + "network.bytes": 0, + "network.community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=", + "network.direction": "outbound", + "network.packets": 0, + "network.transport": "tcp", + "related.ip": [ + "10.0.2.15", + "172.217.9.68" + ], + "service.type": "zeek", + "source.address": "10.0.2.15", + "source.bytes": 0, + "source.ip": "10.0.2.15", + "source.packets": 0, + "source.port": 46408, + "tags": [ + "zeek.connection", + "local_orig" + ], + "zeek.connection.history": "C", + "zeek.connection.local_orig": true, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "OTH", + "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", + "zeek.session_id": "C2KP1V3alRLoxl4JB9" } ] \ No newline at end of file From 85f844c2a88b03196d89943d159f31ad32f0f707 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 9 Jun 2021 16:31:34 -0500 Subject: [PATCH 4/4] fix changelog --- CHANGELOG.next.asciidoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 102c8483e8b8..8adee27e54cb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -818,18 +818,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764] - Make `filestream` input GA. {pull}26127[26127] - Add new `parser` to `filestream` input: `container`. {pull}26115[26115] -- Support X-Forwarder-For in IIS logs. {pull}19142[192142] -- Add support for logs generated by servers configured with `log_statement` and `log_duration` in PostgreSQL module. {pull}24607[24607] -- Added fifteen new message IDs to Cisco ASA/FTD pipeline. {pull}24744[24744] -- Added NTP fileset to Zeek module {pull}24224[24224] -- Add `proxy_url` config for httpjson v2 input. {issue}24615[24615] {pull}24662[24662] -- Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636] -- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994] -- Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041] -- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803] -- Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699] -- New module `zookeeper` for Zookeeper service and audit logs {issue}25061[25061] {pull}25128[25128] -- Add parsing for `haproxy.http.request.raw_request_line` field {issue}25480[25480] {pull}25482[25482] - Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564] *Heartbeat*