Kvetch · May 9, 2017 02:05
diff --git a/analysis-test.conf b/analysis-test.conf
 input {
  beats {
    type => "beats"
    port => 5044
    #codec => json
  }
  file {
    type => "procmon"
    ############ CHANGE ###################
    path => "/blahblahblah/LogFile.CSV"
    ############## ME ####################
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
  file {
    type => "bro-logs"
    ############ CHANGE ###################
    path => "/blahblahblah/Pcap/*.log"
    ############## ME ####################
    start_position => beginning
    codec => json
    sincedb_path => "/dev/null"
  }
 }

 filter {
  if [type] == "procmon" {
    csv {
      separator => ","
      ############ CHANGE ###################
      columns => ["Time of Day","Process Name","PID","Operation","Path","Result","Detail","Date & Time","Event Class","Sequence","Image Path","Description","Version","User","Session","Command Line","TID","Virtualized","Integrity","Category","Parent PID"]
      ############## ME ####################
    }
    mutate {
      convert => {
        "PID"       => "integer"
        "TID"  => "integer"
        "Parent PID" => "integer"
        "Virtualized"  => "boolean"
        "Session" => "integer"
        "Sequence" => "integer"
        "Duration" => "float"
      }
      remove_field => ['message']
    }
    if "PM" in [Time of Day]
    {
      mutate {
        gsub => ["Time of Day", ".{7}$", ""]
        split => ["Date & Time", " "]
        add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} PM"]
      }
    }
    if "AM" in [Time of Day]
    {
      mutate {
        gsub => ["Time of Day", ".{7}$", ""]
        split => ["Date & Time", " "]
        add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} AM"]
      }
    }
    date {
      match => ["Time", "MM/dd/YYYY hh:mm:ss.SSS aa"]
      target => "@timestamp"
    }
    if [Event Class] == "Network"
    {
      mutate {
        split => ["Path", "->"]
      }
      if "Send" in [Operation]
        {
          mutate {
            add_field => ["ip_src", "%{[Path][0]}"]
            add_field => ["ip_dst", "%{[Path][1]}"]
          }
        }
      if "Receive" in [Operation]
        {
          mutate {
            add_field => ["ip_dst", "%{[Path][0]}"]
            add_field => ["ip_src", "%{[Path][1]}"]
          }
        }
    }
    #mutate {
    #  remove_field => ['Time of Day', 'Date & Time', 'Time']
    #}
  }


  if [type] == "bro-logs" {
    date {
      match => [ "ts", "UNIX" ]
      target => "@timestamp"
      remove_field => [ "ts" ]
    }
    if [log_path] == "weird" {
      de_dot {
        fields => [
          "id.orig_p",
          "id.resp_p"
        ]
      }
    }
    if [log_path] == "software" {
      de_dot {
        fields => [
          "version.major",
          "version.minor",
          "version.minor2",
          "version.minor3",
          "version.addl"
        ]
      }
    }
    if [log_path] == "x509" {
      de_dot {
        fields => [
          "certificate.version",
          "certificate.serial",
          "certificate.subject",
          "certificate.issuer",
          "certificate.exponent",
          "certificate.curve",
          "sans.dns",
          "basic_constraints.ca"
        ]
      }
    }
    if [log_path] == "intel" {
      de_dot {
        fields => [
          "seen.indicator",
          "seen.where",
          "seen.node"
        ]
      }
    }
  }
 }

 output
 {
  if [type] == "procmon" {
    elasticsearch {
      hosts => "localhost"
      index => "procmon-%{+YYYY.MM.dd}"
      document_type => "Procmon"
    }
  }
  if [type] == "bro-logs" {
    elasticsearch {
      hosts => "localhost"
      index => "bro-logs-%{+YYYY.MM.dd}"
      document_type => "Bro"
    }
  }
  else {
    elasticsearch {
      hosts => "localhost"
      index => "beats-%{+YYYY.MM.dd}"
      document_type => "Beats"
    }
  }
 stdout {}
 }
	input {
	beats {
	type => "beats"
	port => 5044
	#codec => json
	}
	file {
	type => "procmon"
	############ CHANGE ###################
	path => "/blahblahblah/LogFile.CSV"
	############## ME ####################
	start_position => "beginning"
	sincedb_path => "/dev/null"
	}
	file {
	type => "bro-logs"
	############ CHANGE ###################
	path => "/blahblahblah/Pcap/*.log"
	############## ME ####################
	start_position => beginning
	codec => json
	sincedb_path => "/dev/null"
	}
	}

	filter {
	if [type] == "procmon" {
	csv {
	separator => ","
	############ CHANGE ###################
	columns => ["Time of Day","Process Name","PID","Operation","Path","Result","Detail","Date & Time","Event Class","Sequence","Image Path","Description","Version","User","Session","Command Line","TID","Virtualized","Integrity","Category","Parent PID"]
	############## ME ####################
	}
	mutate {
	convert => {
	"PID" => "integer"
	"TID" => "integer"
	"Parent PID" => "integer"
	"Virtualized" => "boolean"
	"Session" => "integer"
	"Sequence" => "integer"
	"Duration" => "float"
	}
	remove_field => ['message']
	}
	if "PM" in [Time of Day]
	{
	mutate {
	gsub => ["Time of Day", ".{7}$", ""]
	split => ["Date & Time", " "]
	add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} PM"]
	}
	}
	if "AM" in [Time of Day]
	{
	mutate {
	gsub => ["Time of Day", ".{7}$", ""]
	split => ["Date & Time", " "]
	add_field => ["Time", "%{[Date & Time][0]} %{[Time of Day]} AM"]
	}
	}
	date {
	match => ["Time", "MM/dd/YYYY hh:mm:ss.SSS aa"]
	target => "@timestamp"
	}
	if [Event Class] == "Network"
	{
	mutate {
	split => ["Path", "->"]
	}
	if "Send" in [Operation]
	{
	mutate {
	add_field => ["ip_src", "%{[Path][0]}"]
	add_field => ["ip_dst", "%{[Path][1]}"]
	}
	}
	if "Receive" in [Operation]
	{
	mutate {
	add_field => ["ip_dst", "%{[Path][0]}"]
	add_field => ["ip_src", "%{[Path][1]}"]
	}
	}
	}
	#mutate {
	# remove_field => ['Time of Day', 'Date & Time', 'Time']
	#}
	}


	if [type] == "bro-logs" {
	date {
	match => [ "ts", "UNIX" ]
	target => "@timestamp"
	remove_field => [ "ts" ]
	}
	if [log_path] == "weird" {
	de_dot {
	fields => [
	"id.orig_p",
	"id.resp_p"
	]
	}
	}
	if [log_path] == "software" {
	de_dot {
	fields => [
	"version.major",
	"version.minor",
	"version.minor2",
	"version.minor3",
	"version.addl"
	]
	}
	}
	if [log_path] == "x509" {
	de_dot {
	fields => [
	"certificate.version",
	"certificate.serial",
	"certificate.subject",
	"certificate.issuer",
	"certificate.exponent",
	"certificate.curve",
	"sans.dns",
	"basic_constraints.ca"
	]
	}
	}
	if [log_path] == "intel" {
	de_dot {
	fields => [
	"seen.indicator",
	"seen.where",
	"seen.node"
	]
	}
	}
	}
	}

	output
	{
	if [type] == "procmon" {
	elasticsearch {
	hosts => "localhost"
	index => "procmon-%{+YYYY.MM.dd}"
	document_type => "Procmon"
	}
	}
	if [type] == "bro-logs" {
	elasticsearch {
	hosts => "localhost"
	index => "bro-logs-%{+YYYY.MM.dd}"
	document_type => "Bro"
	}
	}
	else {
	elasticsearch {
	hosts => "localhost"
	index => "beats-%{+YYYY.MM.dd}"
	document_type => "Beats"
	}
	}
	stdout {}
	}