diff --git a/configfiles/1100_preprocess_bro_conn.conf b/configfiles/1100_preprocess_bro_conn.conf index f9ff79a..87f0904 100644 --- a/configfiles/1100_preprocess_bro_conn.conf +++ b/configfiles/1100_preprocess_bro_conn.conf @@ -1,12 +1,15 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for conn.log from Bro systems filter { if [type] == "bro_conn" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ipbytes","respond_packets","respond_ipbytes","tunnel_parents","original_country_code","respond_country_code","sensor_name"] diff --git a/configfiles/1102_preprocess_bro_dns.conf b/configfiles/1102_preprocess_bro_dns.conf index 34c2b9b..53cf5ad 100644 --- a/configfiles/1102_preprocess_bro_dns.conf +++ b/configfiles/1102_preprocess_bro_dns.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Updated by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for dns.log from Bro systems filter { if [type] == "bro_dns" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","transaction_id","rtt","query","query_class","query_class_name","query_type","query_type_name","rcode","rcode_name","aa","tc","rd","ra","z","answers","ttls","rejected"] diff --git a/configfiles/1103_preprocess_bro_dpd.conf b/configfiles/1103_preprocess_bro_dpd.conf index ee38b42..39603bf 100644 --- a/configfiles/1103_preprocess_bro_dpd.conf +++ b/configfiles/1103_preprocess_bro_dpd.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Updated by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for dpd.log from Bro systems filter { if [type] == "bro_dpd" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","analyzer","failure_reason"] separator => " " diff --git a/configfiles/1104_preprocess_bro_files.conf b/configfiles/1104_preprocess_bro_files.conf index 51054d1..6658893 100644 --- a/configfiles/1104_preprocess_bro_files.conf +++ b/configfiles/1104_preprocess_bro_files.conf @@ -1,7 +1,7 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 10/13/2017 - Wes lambert +# Last Update: 12/14/2017 - Wes lambert # # This conf file is based on accepting logs for files.log from Bro systems filter { diff --git a/configfiles/1105_preprocess_bro_ftp.conf b/configfiles/1105_preprocess_bro_ftp.conf index 3e12e2e..8d1dd19 100644 --- a/configfiles/1105_preprocess_bro_ftp.conf +++ b/configfiles/1105_preprocess_bro_ftp.conf @@ -1,12 +1,15 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for ftp.log from Bro systems filter { if [type] == "bro_ftp" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ftp_username","password","ftp_command","ftp_argument","mimetype","file_size","reply_code","reply_message","data_channel_passive","data_channel_source_ip","data_channel_destination_ip","data_channel_destination_port","fuid"] separator => " " diff --git a/configfiles/1107_preprocess_bro_irc.conf b/configfiles/1107_preprocess_bro_irc.conf index 97626ea..84f7dcb 100644 --- a/configfiles/1107_preprocess_bro_irc.conf +++ b/configfiles/1107_preprocess_bro_irc.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Update by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for irc.log from Bro systems filter { if [type] == "bro_irc" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","nick","irc_username","irc_command","value","additional_info","dcc_file_name","dcc_file_size","dcc_mime_type","fuid"] separator => " " diff --git a/configfiles/1108_preprocess_bro_kerberos.conf b/configfiles/1108_preprocess_bro_kerberos.conf index 701bf59..a8adf28 100644 --- a/configfiles/1108_preprocess_bro_kerberos.conf +++ b/configfiles/1108_preprocess_bro_kerberos.conf @@ -1,11 +1,14 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for kerberos.log from Bro systems filter { if [type] == "bro_kerberos" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","request_type","client","service","kerberos_success","error_message","valid_from","valid_till","cipher","forwardable","renewable","client_certificate_subject","client_certificate_fuid","server_certificate_subject","server_certificate_fuid"] separator => " " diff --git a/configfiles/1109_preprocess_bro_notice.conf b/configfiles/1109_preprocess_bro_notice.conf index 5bad304..1926754 100644 --- a/configfiles/1109_preprocess_bro_notice.conf +++ b/configfiles/1109_preprocess_bro_notice.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Update by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for notice.log from Bro systems filter { if [type] == "bro_notice" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","file_mime_type","file_description","protocol","note","msg","sub_msg","source_ip","destination_ip","p","n","peer_description","action","suppress_for","dropped","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"] separator => " " diff --git a/configfiles/1110_preprocess_bro_rdp.conf b/configfiles/1110_preprocess_bro_rdp.conf index d44008a..fc80c5e 100644 --- a/configfiles/1110_preprocess_bro_rdp.conf +++ b/configfiles/1110_preprocess_bro_rdp.conf @@ -1,11 +1,15 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Update by Wes Lambert +# Last Update: 12/14/2016 # # This conf file is based on accepting logs for weird.log from Bro systems filter { if [type] == "bro_rdp" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","cookie","result","security_protocol","keyboard_layout","client_build","client_name","client_digital_product_id","desktop_width","desktop_height","requested_color_depth","certificate_type","certificate_count","certificate_permanent","encryption_level","encryption_method"] separator => " " diff --git a/configfiles/1111_preprocess_bro_signatures.conf b/configfiles/1111_preprocess_bro_signatures.conf index 607742f..70cdb2d 100644 --- a/configfiles/1111_preprocess_bro_signatures.conf +++ b/configfiles/1111_preprocess_bro_signatures.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Updated by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for signatures.log from Bro systems filter { if [type] == "bro_signatures" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","note","signature_id","event_message","sub_message","signature_count","host_count"] separator => " " diff --git a/configfiles/1113_preprocess_bro_snmp.conf b/configfiles/1113_preprocess_bro_snmp.conf index b718970..e7b8e43 100644 --- a/configfiles/1113_preprocess_bro_snmp.conf +++ b/configfiles/1113_preprocess_bro_snmp.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Update by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for snmp.log from Bro systems filter { if [type] == "bro_snmp" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","duration","version","community","get_requests","get_bulk_requests","get_responses","set_requests","display_string","up_since"] separator => " " diff --git a/configfiles/1114_preprocess_bro_software.conf b/configfiles/1114_preprocess_bro_software.conf index 8db5bca..83ad55e 100644 --- a/configfiles/1114_preprocess_bro_software.conf +++ b/configfiles/1114_preprocess_bro_software.conf @@ -1,12 +1,16 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 +# Update by Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for software.log from Bro systems filter { if [type] == "bro_software" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","source_ip","source_port","software_type","name","version_major","version_minor","version_minor2","version_minor3","version_additional_info","unparsed_version"] separator => " " diff --git a/configfiles/1115_preprocess_bro_ssh.conf b/configfiles/1115_preprocess_bro_ssh.conf index bdf42b3..df24f07 100644 --- a/configfiles/1115_preprocess_bro_ssh.conf +++ b/configfiles/1115_preprocess_bro_ssh.conf @@ -1,12 +1,15 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 5/15/2017 +# Updated by: Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for ssh.log from Bro systems filter { if [type] == "bro_ssh" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude"] separator => " " diff --git a/configfiles/1116_preprocess_bro_ssl.conf b/configfiles/1116_preprocess_bro_ssl.conf index 28f8149..90e0323 100644 --- a/configfiles/1116_preprocess_bro_ssl.conf +++ b/configfiles/1116_preprocess_bro_ssl.conf @@ -1,13 +1,16 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 8/29/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for ssl.log from Bro systems filter { if [type] == "bro_ssl" { # This is the initial parsing of the log - csv { + mutate { + gsub => [ "message", "[\"']", "" ] + } + csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3"] separator => " " } diff --git a/configfiles/1117_preprocess_bro_syslog.conf b/configfiles/1117_preprocess_bro_syslog.conf index bdddb51..eba64ab 100644 --- a/configfiles/1117_preprocess_bro_syslog.conf +++ b/configfiles/1117_preprocess_bro_syslog.conf @@ -3,12 +3,15 @@ # Email: justin@hasecuritysolution.com # # Updated by Wes Lambert -# Last Update: 08/1/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for syslog.log from Bro systems filter { if [type] == "bro_syslog" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","facility","severity","message"] separator => " " diff --git a/configfiles/1118_preprocess_bro_tunnel.conf b/configfiles/1118_preprocess_bro_tunnel.conf index b1b89b2..5b9efe2 100644 --- a/configfiles/1118_preprocess_bro_tunnel.conf +++ b/configfiles/1118_preprocess_bro_tunnel.conf @@ -1,13 +1,16 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/13/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for tunnel.log from Bro systems # Security Onion syslog-ng.conf sets type to "bro_tunnels" filter { if [type] == "bro_tunnels" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","tunnel_type","action"] separator => " " diff --git a/configfiles/1121_preprocess_bro_mysql.conf b/configfiles/1121_preprocess_bro_mysql.conf index c5d9239..61ce85e 100644 --- a/configfiles/1121_preprocess_bro_mysql.conf +++ b/configfiles/1121_preprocess_bro_mysql.conf @@ -1,7 +1,7 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for mysql.log from Bro systems # diff --git a/configfiles/1122_preprocess_bro_socks.conf b/configfiles/1122_preprocess_bro_socks.conf index 422204d..e6c1a6c 100644 --- a/configfiles/1122_preprocess_bro_socks.conf +++ b/configfiles/1122_preprocess_bro_socks.conf @@ -1,13 +1,16 @@ # Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert -# Last Update: 5/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for socks.log from Bro systems # Parse using csv filter { if [type] == "bro_socks" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","user","password","server_status","request_host","request_name","request_port","bound_host","bound_name","bound_port"] separator => " " diff --git a/configfiles/1124_preprocess_bro_intel.conf b/configfiles/1124_preprocess_bro_intel.conf index a67679f..028c4a1 100644 --- a/configfiles/1124_preprocess_bro_intel.conf +++ b/configfiles/1124_preprocess_bro_intel.conf @@ -1,12 +1,15 @@ # Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 5/15/2017 +# Updated by: Wes Lambert +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for intel.log from Bro systems filter { if [type] == "bro_intel" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","indicator","indicator_type","seen_where","seen_node","matched","sources","fuid","mimetype","file_description"] separator => " " diff --git a/configfiles/1125_preprocess_bro_modbus.conf b/configfiles/1125_preprocess_bro_modbus.conf index ace50ef..7d5bf4a 100644 --- a/configfiles/1125_preprocess_bro_modbus.conf +++ b/configfiles/1125_preprocess_bro_modbus.conf @@ -3,7 +3,7 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/12/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for modbus.log from Bro systems # @@ -11,6 +11,9 @@ filter { if [type] == "bro_modbus" { # This is the initial parsing of the log + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","function","exception"] separator => " " diff --git a/configfiles/1127_preprocess_bro_radius.conf b/configfiles/1127_preprocess_bro_radius.conf index e88af48..108b8c6 100644 --- a/configfiles/1127_preprocess_bro_radius.conf +++ b/configfiles/1127_preprocess_bro_radius.conf @@ -3,14 +3,17 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/13/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for radius.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_radius" { - csv { + mutate { + gsub => [ "message", "[\"']", "" ] + } + csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","radius_username","mac","remote_ip","connect_info","result","logged"] separator => " " } diff --git a/configfiles/1128_preprocess_bro_pe.conf b/configfiles/1128_preprocess_bro_pe.conf index 6afbb1b..82fc92e 100644 --- a/configfiles/1128_preprocess_bro_pe.conf +++ b/configfiles/1128_preprocess_bro_pe.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/12/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for pe.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_pe" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","fuid","machine","compile_ts","os","subsystem","is_exe","is_64bit","uses_aslr","uses_dep","uses_code_integrity","uses_seh","has_import_table","has_export_table","has_cert_table","has_debug_data","section_names"] separator => " " diff --git a/configfiles/1129_preprocess_bro_rfb.conf b/configfiles/1129_preprocess_bro_rfb.conf index 4362835..680a115 100644 --- a/configfiles/1129_preprocess_bro_rfb.conf +++ b/configfiles/1129_preprocess_bro_rfb.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/12/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for rfb.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_rfb" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","client_major_version","client_minor_version","server_major_version","server_minor_version","authentication_method","auth","share_flag","desktop_name","width","height"] separator => " " diff --git a/configfiles/1130_preprocess_bro_dnp3.conf b/configfiles/1130_preprocess_bro_dnp3.conf index 7fcf26a..ed3ba70 100644 --- a/configfiles/1130_preprocess_bro_dnp3.conf +++ b/configfiles/1130_preprocess_bro_dnp3.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/12/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for dnp3.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_dnp3" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fc_request","fc_reply","iin"] separator => " " diff --git a/configfiles/1131_preprocess_bro_smb_files.conf b/configfiles/1131_preprocess_bro_smb_files.conf index a9771ee..01055d2 100644 --- a/configfiles/1131_preprocess_bro_smb_files.conf +++ b/configfiles/1131_preprocess_bro_smb_files.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/16/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for smb_files.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_smb_files" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","fuid","action","path","name","size","prev_name","times_modified","times_accessed","times_created","times_changed"] separator => " " diff --git a/configfiles/1132_preprocess_bro_smb_mapping.conf b/configfiles/1132_preprocess_bro_smb_mapping.conf index 9901b6f..ceac871 100644 --- a/configfiles/1132_preprocess_bro_smb_mapping.conf +++ b/configfiles/1132_preprocess_bro_smb_mapping.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/16/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for smb_mapping.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_smb_mapping" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","path","service","native_file_system","share_type"] separator => " " diff --git a/configfiles/1133_preprocess_bro_ntlm.conf b/configfiles/1133_preprocess_bro_ntlm.conf index cc083e2..fc7b010 100644 --- a/configfiles/1133_preprocess_bro_ntlm.conf +++ b/configfiles/1133_preprocess_bro_ntlm.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/18/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for ntlm.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_ntlm" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","ntlm_username","hostname","domain_name","ntlm_success","status"] separator => " " diff --git a/configfiles/1134_preprocess_bro_dce_rpc.conf b/configfiles/1134_preprocess_bro_dce_rpc.conf index 3dff700..1d0f186 100644 --- a/configfiles/1134_preprocess_bro_dce_rpc.conf +++ b/configfiles/1134_preprocess_bro_dce_rpc.conf @@ -3,13 +3,16 @@ # # Adapted from existing filters provided by Justin Henderson # -# Last Update: 05/16/2017 +# Last Update: 12/14/2017 # # This conf file is based on accepting logs for dce_rpc.log from Bro systems # # Parse using csv filter filter { if [type] == "bro_dce_rpc" { + mutate { + gsub => [ "message", "[\"']", "" ] + } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","rtt","named_pipe","endpoint","operation"] separator => " "