Cleanup logstash configs

2019-04-15 20:10:49 +10:00
parent 74ebf43492
commit 97d2a2606c
5 changed files with 138 additions and 188 deletions
--- a/resources/elk6/pipeline/3000_openvas.conf
+++ b/resources/elk6/pipeline/3000_openvas.conf
@ -20,27 +20,27 @@ input {

 filter {
  if "openvas_scan" in [tags] {
-    mutate {
-      replace => [ "message", "%{message}" ]
-      gsub => [
-        "message", "\|\|\|", " ",
-        "message", "\t\t", " ",
-        "message", "    ", " ",
-        "message", "   ", " ",
-        "message", "  ", " ",
-        "message", "nan", " ",
-        "message",'\n',''
-      ]
+    date {
+      match => [ "_timestamp", "UNIX" ]
+      target => "@timestamp"
+      remove_field => ["timestamp"]
    }

-
    grok {
-        match => { "path" => "openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$" }
+        match => { "path" => "openvas_scan_%{DATA}_%{INT}.json$" }
        tag_on_failure => []
    }

-    mutate {
-      add_field => { "risk_score" => "%{cvss}" }
+    translate {
+      field => "[risk_number]"
+      destination => "[risk]"
+      dictionary => {
+        "0" => "Info"
+        "1" => "Low"
+        "2" => "Medium"
+        "3" => "High"
+        "4" => "Critical"
+      }
    }

    if [risk] == "1" {
@ -93,21 +93,24 @@ filter {
      }
    }

-    # TODO remove when @timestamp is included in event
-    date {
-      match => [ "last_updated", "UNIX" ]
-      target => "@timestamp"
-      remove_field => "last_updated"
-    }
    mutate {
-      convert => { "plugin_id" => "integer"}
+      add_field => { "risk_score" => "%{cvss}" }
+    }
+
+    mutate {
+      convert => { "cvss_base" => "float"}
+      convert => { "cvss_temporal" => "float"}
+      convert => { "cvss" => "float"}
+      convert => { "cvss3_base" => "float"}
+      convert => { "cvss3_temporal" => "float"}
+      convert => { "cvss3" => "float"}
      convert => { "id" => "integer"}
+      convert => { "plugin_id" => "integer"}
      convert => { "risk_number" => "integer"}
      convert => { "risk_score" => "float"}
      convert => { "total_times_detected" => "integer"}
-      convert => { "cvss_temporal" => "float"}
-      convert => { "cvss" => "float"}
    }
+
    if [risk_score] == 0 {
      mutate {
        add_field => { "risk_score_name" => "info" }
@ -139,6 +142,19 @@ filter {
        add_tag => [ "critical_asset" ]
      }
    }
+    mutate {
+      convert => { "plugin_id" => "integer"}
+      convert => { "id" => "integer"}
+      convert => { "risk_number" => "integer"}
+      convert => { "risk_score" => "float"}
+      convert => { "total_times_detected" => "integer"}
+      convert => { "cvss" => "float"}
+      convert => { "cvss_base" => "float"}
+      convert => { "cvss_temporal" => "float"}
+      convert => { "cvss3" => "float"}
+      convert => { "cvss3_base" => "float"}
+      convert => { "cvss3_temporal" => "float"}
+    }
  }
 }
 output {