diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 54d4fa40f17..b35ec93cdf9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -344,6 +344,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix for `field [source] not present as part of path [source.ip]` error in azure pipelines. {pull}22377[22377] - Drop aws.vpcflow.pkt_srcaddr and aws.vpcflow.pkt_dstaddr when equal to "-". {pull}22721[22721] {issue}22716[22716] - Fix cisco umbrella module config by adding input variable. {pull}22892[22892] +- Fix network.direction logic in zeek connection fileset. {pull}22967[22967] - Convert the o365 module's `client.port` and `source.port` to numbers (from strings) in events. {pull}22939[22939] - Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966] diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index c25c9cee6e5..93245720a06 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -45,19 +45,30 @@ processors: source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes ignore_failure: true - script: - source: >- - if (ctx?.zeek?.connection?.local_orig == true) { - if (ctx?.zeek?.connection?.local_resp == true) { - ctx.network.direction = "internal"; - } else { - ctx.network.direction = "outbound"; - } - } else { - if (ctx?.zeek?.connection?.local_resp == true) { - ctx.network.direction = "inbound"; - } else { - ctx.network.direction = "external"; - } + source: |- + if (ctx?.zeek?.connection?.local_orig == null || + ctx?.zeek?.connection?.local_resp == null) { + return; + } + if (ctx.zeek.connection.local_orig == true && + ctx.zeek.connection.local_resp == true) { + ctx.network.direction = "internal"; + return; + } + if (ctx.zeek.connection.local_orig == true && + ctx.zeek.connection.local_resp == false) { + ctx.network.direction = "outbound"; + return; + } + if (ctx.zeek.connection.local_orig == false && + ctx.zeek.connection.local_resp == true) { + ctx.network.direction = "inbound"; + return; + } + if (ctx.zeek.connection.local_orig == false && + ctx.zeek.connection.local_resp == false) { + ctx.network.direction = "external"; + return; } - geoip: field: destination.ip