Skip to content

Commit

Permalink
Sync zeek package with beats (#696)
Browse files Browse the repository at this point in the history
  • Loading branch information
marc-gr authored Feb 17, 2021
1 parent d267c5b commit 8049dcf
Show file tree
Hide file tree
Showing 41 changed files with 53 additions and 38 deletions.
2 changes: 1 addition & 1 deletion packages/zeek/_dev/deploy/docker/sample_logs/http.log
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]}
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/dce_rpc/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/dhcp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/dnp3/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/dns/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -205,4 +205,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/dpd/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/files/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -46,4 +46,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ftp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -75,4 +75,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
3 changes: 2 additions & 1 deletion packages/zeek/data_stream/http/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ processors:
- {from: "destination.address", to: "destination.ip", type: "ip"}
- {from: "destination.port", to: "url.port"}
- {from: "http.request.method", to: "event.action"}
- {from: "url.username", to: "user.name"}
ignore_missing: true
fail_on_error: false
- add_fields:
Expand All @@ -79,4 +80,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
9 changes: 9 additions & 0 deletions packages/zeek/data_stream/http/fields/ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -308,3 +308,12 @@
ignore_above: 1024
name: user_agent.version
type: keyword
- description: Short name or login of the user.
ignore_above: 1024
multi_fields:
- flat_name: user.name.text
name: text
norms: false
type: text
name: user.name
type: keyword
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/intel/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -71,4 +71,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/irc/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -89,4 +89,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/modbus/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/mysql/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,10 @@ processors:
field: event.type
value: end
if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'"
- append:
field: event.category
value: session
if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')"
on_failure:
- set:
field: error.message
Expand Down
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/notice/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ntlm/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -79,4 +79,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ocsp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/pe/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/radius/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/rdp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -74,4 +74,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/rfb/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -64,4 +64,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/sip/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -80,4 +80,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/smb_cmd/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -58,4 +58,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/smtp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/snmp/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/socks/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ssh/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ssl/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/stats/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -74,4 +74,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/syslog/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/tunnel/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/weird/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/x509/agent/stream/log.yml.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,4 @@ processors:
- add_fields:
target: ''
fields:
ecs.version: 1.7.0
ecs.version: 1.8.0
1 change: 1 addition & 0 deletions packages/zeek/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -983,6 +983,7 @@ HTTP requests and replies.
| url.password | Password of the request. | keyword |
| url.port | Port of the request, such as 443. | long |
| url.username | Username of the request. | keyword |
| user.name | Short name or login of the user. | keyword |
| user_agent.device.name | Name of the device. | keyword |
| user_agent.name | Name of the user agent. | keyword |
| user_agent.original | Unparsed user_agent string. | keyword |
Expand Down

0 comments on commit 8049dcf

Please sign in to comment.