Skip to content

Commit

Permalink
Merge branch '1.0' into pp_file_mime
Browse files Browse the repository at this point in the history
  • Loading branch information
@brian-grabau
brian-grabau authored Nov 5, 2024
2 parents 9442ee6 + 6edc54a commit d6de905
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
4 changes: 3 additions & 1 deletion config/processors/api_security_aws.guardduty.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,13 @@ filter {
source => "message"
target => "guard"
}
mutate {
remove_field => [ "host", "event" ]
}
mutate {
add_field => { "[cloud][provider]" => "aws" }
add_field => { "[event][module]" => "aws" }
add_field => { "[event][dataset]" => "aws.guardduty" }
remove_field => [ "host", "event" ]
}
ruby {
init => '@ignore = [ "path", "@timestamp", "@metadata", "host", "@version" ]'
Expand Down
6 changes: 3 additions & 3 deletions config/processors/syslog_security_symantec.endpoint.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,7 @@ filter {
rename => {"[sepm][Source]" => "[log][logger]"}
rename => {"[sepm][Disposition]" => "[error][type]"}
rename => {"[sepm][Event Type]" => "[event][category]"}
remove_field => ["[log][date_time]", "[event][created]", "[received][date_time]", "actual_msg"]
remove_field => ["[log][date_time]", "[received][date_time]", "actual_msg"]
}
if [rule][id] {
mutate {
Expand Down Expand Up @@ -468,7 +468,7 @@ filter {

if [event][start] {
date {
match => ["[event][start]" , "yyyy-MM-dd HH:mm:ss"]
match => ["[event][start]", "ISO8601", "yyyy-MM-dd HH:mm:ss", "MMM dd HH:mm:ss"]
timezone => "GMT"
locale => "en"
target => "[event][start]"
Expand All @@ -482,7 +482,7 @@ filter {
}
if [event][end] {
date {
match => ["[event][end]" , "yyyy-MM-dd HH:mm:ss"]
match => ["[event][end]", "ISO8601", "yyyy-MM-dd HH:mm:ss", "MMM dd HH:mm:ss"]
timezone => "GMT"
locale => "en"
target => "[event][end]"
Expand Down

0 comments on commit d6de905

Please sign in to comment.