don't use reserved _timestamp
This commit is contained in:
pemontto
@ -28,9 +28,9 @@ filter {
|
|||||||
if "nessus" in [tags] or "tenable" in [tags] {
|
if "nessus" in [tags] or "tenable" in [tags] {
|
||||||
|
|
||||||
date {
|
date {
|
||||||
match => [ "_timestamp", "UNIX" ]
|
match => [ "scan_time", "UNIX" ]
|
||||||
target => "@timestamp"
|
target => "@timestamp"
|
||||||
remove_field => ["_timestamp"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
||||||
|
|||||||
@ -20,9 +20,9 @@ input {
|
|||||||
filter {
|
filter {
|
||||||
if "qualys" in [tags] {
|
if "qualys" in [tags] {
|
||||||
date {
|
date {
|
||||||
match => [ "_timestamp", "UNIX" ]
|
match => [ "scan_time", "UNIX" ]
|
||||||
target => "@timestamp"
|
target => "@timestamp"
|
||||||
remove_field => ["_timestamp"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
grok {
|
grok {
|
||||||
|
|||||||
@ -21,9 +21,9 @@ input {
|
|||||||
filter {
|
filter {
|
||||||
if "openvas_scan" in [tags] {
|
if "openvas_scan" in [tags] {
|
||||||
date {
|
date {
|
||||||
match => [ "_timestamp", "UNIX" ]
|
match => [ "scan_time", "UNIX" ]
|
||||||
target => "@timestamp"
|
target => "@timestamp"
|
||||||
remove_field => ["_timestamp"]
|
remove_field => ["scan_time"]
|
||||||
}
|
}
|
||||||
|
|
||||||
grok {
|
grok {
|
||||||
|
|||||||
@ -278,7 +278,7 @@ class vulnWhispererBase(object):
|
|||||||
df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high'
|
df.loc[(df[cvss_version] >= 6) & (df[cvss_version] < 9), cvss_version + '_severity'] = 'high'
|
||||||
df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical'
|
df.loc[(df[cvss_version] > 9) & (df[cvss_version].notnull()), cvss_version + '_severity'] = 'critical'
|
||||||
|
|
||||||
# Make rename cvss to cvss2
|
# Rename cvss to cvss2
|
||||||
# Make cvss with no suffix == cvss3 else cvss2
|
# Make cvss with no suffix == cvss3 else cvss2
|
||||||
# cvss = cvss3 if cvss3 else cvss2
|
# cvss = cvss3 if cvss3 else cvss2
|
||||||
# cvss_severity = cvss3_severity if cvss3_severity else cvss2_severity
|
# cvss_severity = cvss3_severity if cvss3_severity else cvss2_severity
|
||||||
@ -497,9 +497,7 @@ class vulnWhispererNessus(vulnWhispererBase):
|
|||||||
# Set common fields
|
# Set common fields
|
||||||
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
||||||
vuln_ready['scan_id'] = uuid
|
vuln_ready['scan_id'] = uuid
|
||||||
|
vuln_ready['scan_time'] = norm_time
|
||||||
# Add timestamp
|
|
||||||
vuln_ready['_timestamp'] = norm_time
|
|
||||||
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
||||||
|
|
||||||
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
||||||
@ -658,8 +656,7 @@ class vulnWhispererQualys(vulnWhispererBase):
|
|||||||
# Set common fields
|
# Set common fields
|
||||||
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
||||||
vuln_ready['scan_id'] = report_id
|
vuln_ready['scan_id'] = report_id
|
||||||
# Add timestamp
|
vuln_ready['scan_time'] = launched_date
|
||||||
vuln_ready['_timestamp'] = launched_date
|
|
||||||
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
||||||
|
|
||||||
record_meta = (
|
record_meta = (
|
||||||
@ -680,7 +677,7 @@ class vulnWhispererQualys(vulnWhispererBase):
|
|||||||
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
||||||
|
|
||||||
elif output_format == 'csv':
|
elif output_format == 'csv':
|
||||||
vuln_ready.to_csv(relative_path_name, index=False, header=True) # add when timestamp occured
|
vuln_ready.to_csv(relative_path_name, index=False, header=True)
|
||||||
|
|
||||||
self.logger.info('Report written to {}'.format(report_name))
|
self.logger.info('Report written to {}'.format(report_name))
|
||||||
|
|
||||||
@ -833,8 +830,7 @@ class vulnWhispererOpenVAS(vulnWhispererBase):
|
|||||||
# Set common fields
|
# Set common fields
|
||||||
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
||||||
vuln_ready['scan_id'] = report_id
|
vuln_ready['scan_id'] = report_id
|
||||||
# Add _timestamp and convert to milliseconds
|
vuln_ready['scan_time'] = launched_date
|
||||||
vuln_ready['_timestamp'] = launched_date
|
|
||||||
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
||||||
|
|
||||||
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
vuln_ready.to_json(relative_path_name, orient='records', lines=True)
|
||||||
@ -935,9 +931,7 @@ class vulnWhispererQualysVuln(vulnWhispererBase):
|
|||||||
# Set common fields
|
# Set common fields
|
||||||
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
vuln_ready['scan_name'] = scan_name.encode('utf8')
|
||||||
vuln_ready['scan_id'] = report_id
|
vuln_ready['scan_id'] = report_id
|
||||||
|
vuln_ready['scan_time'] = launched_date
|
||||||
# Add timestamp
|
|
||||||
vuln_ready['_timestamp'] = launched_date
|
|
||||||
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
vuln_ready['scan_source'] = self.CONFIG_SECTION
|
||||||
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
|||||||
Reference in New Issue
Block a user