From f3b893d2811618a7ccca93401ef429766625b67c Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Fri, 22 Feb 2019 20:48:53 -0500 Subject: [PATCH] Handle event_type:stats as event.kind:metric --- .../module/suricata/eve/ingest/pipeline.json | 20 +++---------------- .../eve/test/eve-small.log-expected.json | 3 +-- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json index 85a3d591978e..e1fcf7c0c6e5 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json @@ -256,23 +256,9 @@ } }, { - "set": { - "if": "ctx.suricata?.eve?.event_type == \"alert\"", - "field": "event.kind", - "value": "alert" - } - }, - { - "set": { - "if": "ctx.suricata?.eve?.event_type != \"alert\"", - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "field": "event.category", - "value": "network_traffic" + "script": { + "lang": "painless", + "source": "def t = ctx.suricata?.eve?.event_type; if (t == \"stats\") {\n ctx['event']['kind'] = \"metric\";\n} else if (t == \"alert\") {\n ctx['event']['kind'] = \"alert\";\n ctx['event']['category'] = \"network_traffic\";\n} else {\n ctx['event']['kind'] = \"event\";\n ctx['event']['category'] = \"network_traffic\";\n}" } } ], diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 3cb37412bbe9..82c1fd667255 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -197,10 +197,9 @@ { "@timestamp": "2018-07-05T19:51:23.009Z", "ecs.version": "1.0.0-beta2", - "event.category": "network_traffic", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:51:23.009Z", - "event.kind": "event", + "event.kind": "metric", "event.module": "suricata", "fileset.name": "eve", "input.type": "log",