File: //usr/share/filebeat/module/suricata/eve/config/eve.yml
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- rename:
fields:
- {from: message, to: event.original}
- decode_json_fields:
fields: [event.original]
target: suricata.eve
- convert:
ignore_missing: true
fail_on_error: false
mode: rename
fields:
- {from: suricata.eve.src_ip, to: source.address}
- {from: suricata.eve.src_port, to: source.port, type: long}
- {from: suricata.eve.dest_ip, to: destination.address}
- {from: suricata.eve.dest_port, to: destination.port, type: long}
- {from: suricata.eve.proto, to: network.transport}
- {from: suricata.eve.flow_id, type: string}
- convert:
ignore_missing: true
fail_on_error: false
mode: copy
fields:
- {from: source.address, to: source.ip, type: ip}
- {from: destination.address, to: destination.ip, type: ip}
- {from: '@timestamp', to: event.created}
- timestamp:
field: suricata.eve.timestamp
layouts:
- '2006-01-02T15:04:05.999999999Z0700' # ISO8601
- drop_fields:
fields:
- suricata.eve.timestamp
{{ if .community_id }}
- community_id:
{{ end }}
{{ if .internal_networks }}
- add_network_direction:
source: source.ip
destination: destination.ip
target: network.direction
internal_networks: {{ .internal_networks | tojson }}
{{ end }}
- registered_domain:
when:
or:
- equals.suricata.eve.dns.type: query
# V2 events always include the query data.
- equals.suricata.eve.dns.version: 2
ignore_missing: true
ignore_failure: true
field: suricata.eve.dns.rrname
target_field: dns.question.registered_domain
target_subdomain_field: dns.question.subdomain
target_etld_field: dns.question.top_level_domain
- add_fields:
target: ''
fields:
ecs.version: 1.12.0