fluent-bit-filters-bro-conn-custom.conf

##################################################################
# Use this file to add transformations into ECS format 
# for optional and extended Zeek conn fields.

# conn.log
[FILTER]
    Name modify
    Match ${observer_product}.conn*
    Rename zeek_connection_orig_l2_addr source_mac
    Rename zeek_connection_resp_l2_addr destination_mac
    Rename zeek_connection_community_id network_community_id
    # zeerbit-zeek-scripts/conn-add-fqdn.zeek
    Rename zeek_connection_orig_fqdn    source_domain
    Rename zeek_connection_resp_fqdn    destination_domain

# Cleanup - remove keys represending domain (FQDN) if value is "-"
[FILTER]
    Name modify
    Match ${observer_product}.conn*
    Condition Key_value_equals source_domain -
    Remove_regex source_domain

[FILTER]
    Name modify
    Match ${observer_product}.conn*
    Condition Key_value_equals destination_domain -
    Remove_regex destination_domain

# zeerbit-zeek-scripts/conn-add-geo
# ECS: Parse source.geo and destination.geo
[FILTER]
    Name    lua
    Match   ${observer_product}.conn*
    Script  custom/zeek_conn_custom_parse.lua
    Call    zeek_conn_custom_parse_geo

# Remove no longer needed keys
[FILTER]
    Name modify
    Match ${observer_product}.conn*
    Remove zeek_connection_orig_geo_lon
    Remove zeek_connection_orig_geo_lat
    Remove zeek_connection_orig_geo_cc
    Remove zeek_connection_resp_geo_lon
    Remove zeek_connection_resp_geo_lat
    Remove zeek_connection_resp_geo_cc