diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index d300b93..c0c4f27 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -28,9 +28,9 @@ filter { if "nessus" in [tags] or "tenable" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } #If using filebeats as your source, you will need to replace the "path" field to "source" diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 145852c..aad34f1 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -20,9 +20,9 @@ input { filter { if "qualys" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } grok { diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 7017acd..47aed47 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -21,9 +21,9 @@ input { filter { if "openvas_scan" in [tags] { date { - match => [ "_timestamp", "UNIX" ] + match => [ "scan_time", "UNIX" ] target => "@timestamp" - remove_field => ["_timestamp"] + remove_field => ["scan_time"] } grok { diff --git a/vulnwhisp/vulnwhisp.py b/vulnwhisp/vulnwhisp.py index e39bf60..2291500 100755 --- a/vulnwhisp/vulnwhisp.py +++ b/vulnwhisp/vulnwhisp.py @@ -278,7 +278,7 @@ class vulnWhispererBase(object): df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high' df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical' - # Make rename cvss to cvss2 + # Rename cvss to cvss2 # Make cvss with no suffix == cvss3 else cvss2 # cvss = cvss3 if cvss3 else cvss2 # cvss_severity = cvss3_severity if cvss3_severity else cvss2_severity @@ -497,9 +497,7 @@ class vulnWhispererNessus(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = uuid - - # Add timestamp - vuln_ready['_timestamp'] = norm_time + vuln_ready['scan_time'] = norm_time vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) @@ -658,8 +656,7 @@ class vulnWhispererQualys(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add timestamp - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION record_meta = ( @@ -680,7 +677,7 @@ class vulnWhispererQualys(vulnWhispererBase): vuln_ready.to_json(relative_path_name, orient='records', lines=True) elif output_format == 'csv': - vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured + vuln_ready.to_csv(relative_path_name, index=False, header=True) self.logger.info('Report written to {}'.format(report_name)) @@ -833,8 +830,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - # Add _timestamp and convert to milliseconds - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION vuln_ready.to_json(relative_path_name, orient='records', lines=True) @@ -935,9 +931,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase): # Set common fields vuln_ready['scan_name'] = scan_name.encode('utf8') vuln_ready['scan_id'] = report_id - - # Add timestamp - vuln_ready['_timestamp'] = launched_date + vuln_ready['scan_time'] = launched_date vuln_ready['scan_source'] = self.CONFIG_SECTION except Exception as e: