Fix errors in filebeat Zeek dashboard and README files. Update field descriptions. Add notice.log support. #10916
Conversation
|
Pinging @elastic/secops |
|
Nit: One small thing I noticed when setting up zeek was that in the readme you need networks.cfg Rather than network.cfg For: /etc/bro/network.cfg So I think it should be: /etc/bro/networks.cfg In the readme. |
Yes. Sorry for the typo. |
alakahakai
changed the title
alakahakai
changed the title
There was a problem hiding this comment.
Noted a few things that need to change.
Good stuff overall, though. And I love the idea of doing the field renames right in Beats. It's lightweight and allows for the use of Beats processors on the predictable ECS field names, instead of the arbitrary field names of each different sources.
x-pack/filebeat/module/zeek/_meta/kibana/7/dashboard/Filebeat-Zeek-Overview.json
Outdated
Show resolved
Hide resolved
x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json
Outdated
Show resolved
Hide resolved
alakahakai
changed the title
| @@ -1 +1,3 @@ | |||
| {"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} | |||
| {"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} | |||
| {"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":383341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} | |||
| { | ||
| "script": { | ||
| "lang": "painless", | ||
| "source": "ctx.destination.ip = ctx['destination']['address'];", |
There was a problem hiding this comment.
Sorry for not catching this earlier, but this copy and the following two can be done with set and the same if.
We should avoid using Painless in cases like this, as it adds unnecessary overhead (even if small).
Check out an example in Suricata module
There was a problem hiding this comment.
It was using set processors before. I did not see there was an "if" for set, and set processor was creating null value fields. I will fix this.
This actually was not the problem. There was a typo in suricata pipeline that caused a parse error, so the test was stuck. |
|
I think this needs to be backported to 7.x. Will open a new PR for that. |
Update Filebeat Zeek dashboard to address {issue}10915[10915]