From 7edb4579d1551292ec5f813be5de59b6a7340f1a Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 10 Jun 2021 11:09:15 -0400 Subject: [PATCH] Add ISO8601 as supported timestamp type (#25564) * Add ISO8601 as supported timestamp type Co-authored-by: Lee E. Hinman --- CHANGELOG.next.asciidoc | 1 + .../zeek/capture_loss/ingest/pipeline.yml | 1 + .../zeek/connection/ingest/pipeline.yml | 1 + .../zeek/connection/test/connection-json.log | 1 + .../test/connection-json.log-expected.json | 55 +++++++++++++++++++ .../module/zeek/dce_rpc/ingest/pipeline.yml | 1 + .../module/zeek/dhcp/ingest/pipeline.yml | 1 + .../module/zeek/dnp3/ingest/pipeline.yml | 1 + .../module/zeek/dns/ingest/pipeline.yml | 1 + .../module/zeek/dpd/ingest/pipeline.yml | 1 + .../module/zeek/files/ingest/pipeline.yml | 1 + .../module/zeek/ftp/ingest/pipeline.yml | 1 + .../module/zeek/http/ingest/pipeline.yml | 1 + .../module/zeek/intel/ingest/pipeline.yml | 1 + .../module/zeek/irc/ingest/pipeline.yml | 1 + .../module/zeek/kerberos/ingest/pipeline.yml | 3 + .../module/zeek/modbus/ingest/pipeline.yml | 1 + .../module/zeek/mysql/ingest/pipeline.yml | 1 + .../module/zeek/notice/ingest/pipeline.yml | 1 + .../module/zeek/ntlm/ingest/pipeline.yml | 1 + .../module/zeek/ntp/ingest/pipeline.yml | 5 ++ .../module/zeek/ocsp/ingest/pipeline.yml | 4 ++ .../module/zeek/pe/ingest/pipeline.yml | 2 + .../module/zeek/radius/ingest/pipeline.yml | 1 + .../module/zeek/rdp/ingest/pipeline.yml | 1 + .../module/zeek/rfb/ingest/pipeline.yml | 1 + .../module/zeek/signature/ingest/pipeline.yml | 1 + .../module/zeek/sip/ingest/pipeline.yml | 1 + .../module/zeek/smb_cmd/ingest/pipeline.yml | 1 + .../module/zeek/smb_files/ingest/pipeline.yml | 5 ++ .../zeek/smb_mapping/ingest/pipeline.yml | 1 + .../module/zeek/smtp/ingest/pipeline.yml | 1 + .../module/zeek/snmp/ingest/pipeline.yml | 2 + .../module/zeek/socks/ingest/pipeline.yml | 1 + .../module/zeek/ssh/ingest/pipeline.yml | 1 + .../module/zeek/ssl/ingest/pipeline.yml | 3 + .../module/zeek/stats/ingest/pipeline.yml | 1 + .../module/zeek/syslog/ingest/pipeline.yml | 1 + .../zeek/traceroute/ingest/pipeline.yml | 1 + .../module/zeek/tunnel/ingest/pipeline.yml | 1 + .../module/zeek/weird/ingest/pipeline.yml | 1 + .../module/zeek/x509/ingest/pipeline.yml | 3 + 42 files changed, 115 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b8f9c5ebe73..6be32d56ea1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -820,6 +820,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - http_endpoint: Support multiple documents in a single request by POSTing an array or NDJSON format. {pull}25764[25764] - Make `filestream` input GA. {pull}26127[26127] - Add new `parser` to `filestream` input: `container`. {pull}26115[26115] +- Add support for ISO8601 timestamps in Zeek fileset {pull}25564[25564] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml index 76e5178572e..c1bd282d72d 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.capture_loss.ts formats: - UNIX + - ISO8601 - remove: field: zeek.capture_loss.ts - set: diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index 93245720a06..0eb015e1548 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.connection.ts formats: - UNIX + - ISO8601 - remove: field: zeek.connection.ts - set: diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log b/x-pack/filebeat/module/zeek/connection/test/connection-json.log index 1275e552e3b..467f28552c1 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log @@ -2,3 +2,4 @@ {"ts":1547188416.857497,"uid":"CAcJw21BbVedgFnYH4","id.orig_h":"192.168.86.167","id.orig_p":38340,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1547188417.857497,"uid":"CAcJw21BbVedgFnYH5","id.orig_h":"4.4.2.2","id.orig_p":38341,"id.resp_h":"8.8.8.8","id.resp_p":53,"proto":"udp","service":"dns","duration":0.076967,"orig_bytes":75,"resp_bytes":178,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"Dd","orig_pkts":1,"orig_ip_bytes":103,"resp_pkts":1,"resp_ip_bytes":206,"tunnel_parents":[]} {"ts":1551399000.57855,"uid":"Cc6NJ3GRlfjE44I3h","id.orig_h":"192.0.2.205","id.orig_p":3,"id.resp_h":"198.51.100.249","id.resp_p":3,"proto":"icmp","conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"orig_pkts":1,"orig_ip_bytes":107,"resp_pkts":0,"resp_ip_bytes":0,"tunnel_parents":[]} +{"ts":"2021-06-09T20:55:13.160328Z","uid":"C2KP1V3alRLoxl4JB9","id.orig_h":"10.0.2.15","id.orig_p":46408,"id.resp_h":"172.217.9.68","id.resp_p":80,"proto":"tcp","conn_state":"OTH","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"C","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":0,"resp_ip_bytes":0} diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 088aee7aedf..ee633382786 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -218,5 +218,60 @@ "zeek.connection.state": "OTH", "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", "zeek.session_id": "Cc6NJ3GRlfjE44I3h" + }, + { + "@timestamp": "2021-06-09T20:55:13.160Z", + "destination.address": "172.217.9.68", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.68", + "destination.packets": 0, + "destination.port": 80, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.id": "C2KP1V3alRLoxl4JB9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 1488, + "network.bytes": 0, + "network.community_id": "1:DzqI9CYXjMSYV8VoSAHtMNfMIeU=", + "network.direction": "outbound", + "network.packets": 0, + "network.transport": "tcp", + "related.ip": [ + "10.0.2.15", + "172.217.9.68" + ], + "service.type": "zeek", + "source.address": "10.0.2.15", + "source.bytes": 0, + "source.ip": "10.0.2.15", + "source.packets": 0, + "source.port": 46408, + "tags": [ + "zeek.connection", + "local_orig" + ], + "zeek.connection.history": "C", + "zeek.connection.local_orig": true, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "OTH", + "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", + "zeek.session_id": "C2KP1V3alRLoxl4JB9" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index f0a837709dc..cd3aa92da66 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dce_rpc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dce_rpc.ts - append: diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49216c077c2..5bdf44d2c59 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dhcp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dhcp.ts - set: diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index e104312e1e1..071b22ff81b 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dnp3.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dnp3.ts - set: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 6d9ed369ea8..58372aa2446 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -12,6 +12,7 @@ processors: field: zeek.dns.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dns.ts diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index 32d1852c3e2..9eeacd83167 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.dpd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.dpd.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml index 754720e9209..c7b1d33ec9a 100644 --- a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.files.ts - script: diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index f1f7d0b4f52..52d08b15db9 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ftp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ftp.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a2c4a85b994..b4cc3baf6e4 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.http.ts formats: - UNIX + - ISO8601 - remove: field: zeek.http.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index f7009431131..1f193b4e22c 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.intel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.intel.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index dd1e37a7035..fb8c233bd25 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.irc.ts formats: - UNIX + - ISO8601 - remove: field: zeek.irc.ts - append: diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index e0f45f71585..b9c61080aa5 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.kerberos.ts formats: - UNIX + - ISO8601 - remove: field: zeek.kerberos.ts - script: @@ -20,12 +21,14 @@ processors: target_field: zeek.kerberos.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.until != null - date: field: zeek.kerberos.valid.from target_field: zeek.kerberos.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.kerberos.valid?.from != null - set: field: event.outcome diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d918b2de09a..eadc215c31a 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.modbus.ts formats: - UNIX + - ISO8601 - remove: field: zeek.modbus.ts - append: diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index d5552af6d29..f0dcd1098c0 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.mysql.ts formats: - UNIX + - ISO8601 - remove: field: zeek.mysql.ts - append: diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c741d355361..b80566d66c6 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.notice.ts formats: - UNIX + - ISO8601 - remove: field: zeek.notice.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 690fd54a54b..ce950e49bda 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntlm.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntlm.ts - append: diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml index ed603292a3d..a93599c91d0 100644 --- a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ntp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ntp.ts # IP Geolocation Lookup @@ -85,21 +86,25 @@ processors: target_field: zeek.ntp.ref_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.org_time target_field: zeek.ntp.org_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.rec_time target_field: zeek.ntp.rec_time formats: - UNIX + - ISO8601 - date: field: zeek.ntp.xmt_time target_field: zeek.ntp.xmt_time formats: - UNIX + - ISO8601 - convert: ignore_missing: true field: zeek.ntp.version diff --git a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml index 462c1f36612..b4681a7637a 100644 --- a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ocsp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ocsp.ts - date: @@ -17,18 +18,21 @@ processors: target_field: zeek.ocsp.revoke.date formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.revoke?.date != null - date: field: zeek.ocsp.update.this target_field: zeek.ocsp.update.this formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.this != null - date: field: zeek.ocsp.update.next target_field: zeek.ocsp.update.next formats: - UNIX + - ISO8601 if: ctx.zeek.ocsp.update?.next != null - append: field: related.hash diff --git a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml index 6e1272a8ab2..08c1b27c294 100644 --- a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.pe.ts formats: - UNIX + - ISO8601 - remove: field: zeek.pe.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.pe.compile_time formats: - UNIX + - ISO8601 if: ctx.zeek.pe.compile_time != null on_failure: - set: diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index acc7fad2f03..1736ed47656 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.radius.ts formats: - UNIX + - ISO8601 - remove: field: zeek.radius.ts - append: diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index bbe4abcee9f..78aa132f9ef 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rdp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rdp.ts - convert: diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 2ce5fda4e16..4a3b6621e7e 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.rfb.ts formats: - UNIX + - ISO8601 - remove: field: zeek.rfb.ts - append: diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml index 539ea5d7912..5c35409d28d 100644 --- a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.signature.ts formats: - UNIX + - ISO8601 - remove: field: zeek.signature.ts # IP Geolocation Lookup diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 045d5afe760..ddba53574cd 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.sip.ts formats: - UNIX + - ISO8601 - remove: field: zeek.sip.ts - grok: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 0a853104351..3034b183330 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_cmd.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_cmd.ts - remove: diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b1c0d3a6992..18ba31c60cb 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_files.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_files.ts - dot_expander: @@ -29,6 +30,7 @@ processors: target_field: zeek.smb_files.times.accessed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.accessed @@ -39,6 +41,7 @@ processors: target_field: zeek.smb_files.times.changed formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.ctime @@ -49,6 +52,7 @@ processors: target_field: zeek.smb_files.times.created formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.created @@ -59,6 +63,7 @@ processors: target_field: zeek.smb_files.times.modified formats: - UNIX + - ISO8601 if: ctx.zeek.smb_files.times?.accessed != null - set: field: file.mtime diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index e116e1bfb60..15ed595d245 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smb_mapping.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smb_mapping.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 03e2ffb6a25..5cf3b12cf24 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.smtp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.smtp.ts - date: diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index 1aefc539733..7fd305fab5a 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.snmp.ts formats: - UNIX + - ISO8601 - remove: field: zeek.snmp.ts - date: @@ -17,6 +18,7 @@ processors: target_field: zeek.snmp.up_since formats: - UNIX + - ISO8601 if: ctx.zeek.snmp.up_since != null - geoip: field: destination.ip diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index e64c5ec9eb3..4f98ce007ab 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.socks.ts formats: - UNIX + - ISO8601 - remove: field: zeek.socks.ts - dot_expander: diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 26980d26f3d..7e943ae513a 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.ssh.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssh.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index 4a980be985a..eb7a25ca026 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.ssl.ts formats: - UNIX + - ISO8601 - remove: field: zeek.ssl.ts - date: @@ -19,12 +20,14 @@ processors: target_field: tls.server.not_before formats: - UNIX + - ISO8601 - date: if: ctx.tls?.server?.not_after != null field: tls.server.not_after target_field: tls.server.not_after formats: - UNIX + - ISO8601 - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml index 04e851e14a9..b86e9d65dba 100644 --- a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.stats.ts formats: - UNIX + - ISO8601 - remove: field: zeek.stats.ts - set: diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 5f3432ec488..4838fad72c5 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.syslog.ts formats: - UNIX + - ISO8601 - remove: field: zeek.syslog.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index f4744c540d7..da5f549f23e 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.traceroute.ts formats: - UNIX + - ISO8601 - remove: field: zeek.traceroute.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 9ca83da3305..51c912764fb 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.tunnel.ts formats: - UNIX + - ISO8601 - remove: field: zeek.tunnel.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index d791eb77a09..8ee448cda4d 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -10,6 +10,7 @@ processors: field: zeek.weird.ts formats: - UNIX + - ISO8601 - remove: field: zeek.weird.ts - geoip: diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml index db9317cca6e..ccca3995ad7 100644 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -11,6 +11,7 @@ processors: field: zeek.x509.ts formats: - UNIX + - ISO8601 - remove: field: zeek.x509.ts - set: @@ -129,6 +130,7 @@ processors: target_field: zeek.x509.certificate.valid.from formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.from != null - set: field: file.x509.not_before @@ -139,6 +141,7 @@ processors: target_field: zeek.x509.certificate.valid.until formats: - UNIX + - ISO8601 if: ctx.zeek.x509.certificate?.valid?.until != null - set: field: file.x509.not_after