-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfluent-bit-filters-bro-dhcp.conf
162 lines (141 loc) · 4.39 KB
/
fluent-bit-filters-bro-dhcp.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# Tabular log format parser
[FILTER]
Name parser
Match ${observer_product}.dhcp
Key_Name log
Parser bro_dhcp_parser
Preserve_Key on
Reserve_Data on
# JSON log format parser
[FILTER]
Name parser
Match ${observer_product}.dhcp.json
Key_Name log
Parser bro_dhcp_parser_json
Preserve_Key off
Reserve_Data on
# Prefix all regular keys ([A-z]*) with 'zeek_dhcp_'
# This will also catch any extended fields to move them under zeek.dhcp
[FILTER]
Name lua
Match ${observer_product}.dhcp*
Script bro_dhcp_parse.lua
Call bro_dhcp_prefix_all
[FILTER]
Name modify
Match ${observer_product}.dhcp
Add zeek_log_file dhcp
Add zeek_log_format tab
# These are special "_*" keys, rename them separately
[FILTER]
Name modify
Match ${observer_product}.dhcp.json
Rename _path zeek_log_file
Rename _write_ts zeek_write_ts
Add zeek_log_format json
# ECS: Pre-process DHCP-specific fields
# Note: uids left as is for parsing via lua bro_dhcp_parse_uids function
# Note: msg_type left as is for parsing via lua bro_dhcp_parse_msg_types function
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Add _event_dataset ${observer_product}.dhcp
Rename zeek_dhcp_client_addr client_ip
Rename zeek_dhcp_server_addr server_ip
Rename zeek_dhcp_mac host_mac
Rename zeek_dhcp_host_name host_hostname
Rename zeek_dhcp_requested_addr zeek_dhcp_ip_requested
Rename zeek_dhcp_assigned_addr zeek_dhcp_ip_assigned
Rename zeek_dhcp_duration _event_duration
Rename zeek_dhcp_log _log_original
# Copies
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Copy client_ip source_ip
Copy server_ip destination_ip
# host.ip is important for Elastic SIEM Inspect IP overview widget
Copy client_ip host_ip
# Use MAC address as a host.id - should work well for end user or iot devices
Copy host_mac host_id
# Cleanup - remove keys represending IP addresses if value is "-"
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals client_ip -
Remove_regex client_ip
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals server_ip -
Remove_regex server_ip
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_ip_requested -
Remove_regex zeek_dhcp_ip_requested
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_ip_assigned -
Remove_regex zeek_dhcp_ip_assigned
# Cleanup - remove keys represending numbers if value is "-"
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_lease_time -
Remove_regex zeek_dhcp_lease_time
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals host_hostname -
Remove_regex host_hostname
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_client_fqdn -
Remove_regex zeek_dhcp_client_fqdn
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_domain -
Remove_regex zeek_dhcp_domain
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_client_message -
Remove_regex zeek_dhcp_client_message
[FILTER]
Name modify
Match ${observer_product}.dhcp*
Condition Key_value_equals zeek_dhcp_server_message -
Remove_regex zeek_dhcp_server_message
# CUSTOM: Parse custom Zeek uids into an array (tab log format only)
[FILTER]
Name lua
Match ${observer_product}.dhcp
Script bro_dhcp_parse.lua
Call bro_dhcp_parse_uids
# CUSTOM: Parse custom Zeek DHCP Message Types into an array (tab log format only)
[FILTER]
Name lua
Match ${observer_product}.dhcp
Script bro_dhcp_parse.lua
Call bro_dhcp_parse_msg_types
# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek DHCP - inner layer
[FILTER]
Name nest
Match ${observer_product}.dhcp*
Operation nest
Wildcard zeek_dhcp_*
Nest_under dhcp
Remove_prefix zeek_dhcp_
# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek DHCP - outer layer
[FILTER]
Name nest
Match ${observer_product}.dhcp*
Operation nest
Wildcard zeek_*
Wildcard dhcp*
Nest_under zeek
Remove_prefix zeek_