File: //usr/share/filebeat/module/zeek/irc/config/irc.yml
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
json.keys_under_root: false
fields_under_root: true
fields:
network.transport: tcp
network.protocol: irc
processors:
- rename:
fields:
- from: "json"
to: "zeek.irc"
- from: "zeek.irc.id.orig_h"
to: "source.address"
- from: "zeek.irc.id.orig_p"
to: "source.port"
- from: "zeek.irc.id.resp_h"
to: "destination.address"
- from: "zeek.irc.id.resp_p"
to: "destination.port"
- from: "zeek.irc.uid"
to: "zeek.session_id"
- from: "zeek.irc.dcc_file_name"
to: "zeek.irc.dcc.file.name"
- from: "zeek.irc.dcc_file_size"
to: "zeek.irc.dcc.file.size"
- from: "zee.irc.dcc_mime_type"
to: "zeek.irc.dcc.mime_type"
ignore_missing: true
fail_on_error: false
- convert:
fields:
- {from: "zeek.session_id", to: "event.id"}
- {from: "source.address", to: "source.ip", type: "ip"}
- {from: "destination.address", to: "destination.ip", type: "ip"}
- {from: "zeek.irc.user", to: "user.name"}
- {from: "zeek.irc.command", to: "event.action"}
- {from: "zeek.irc.dcc.file.name", to: "file.name"}
- {from: "zeek.irc.dcc.file.size", to: "file.size"}
- {from: "zeek.irc.dcc.mime_type", to: "file.mime_type"}
ignore_missing: true
fail_on_error: false
- add_fields:
target: event
fields:
kind: event
category:
- network
type:
- connection
- protocol
- info
- community_id:
{{ if .internal_networks }}
- add_network_direction:
source: source.ip
destination: destination.ip
target: network.direction
internal_networks: {{ .internal_networks | tojson }}
{{ end }}
- add_fields:
target: ''
fields:
ecs.version: 1.12.0