# Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io
# Last Update: 12/20/2017
# Version 0.3
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash


input {
  file {
    path => "/opt/VulnWhisperer/data/nessus/**/*.json"
    mode => "read"
    start_position => "beginning"
    file_completed_action => "delete"
    tags => "nessus"
    codec => json
  }
  file {
    path => "/opt/VulnWhisperer/data/tenable/*.json"
    mode => "read"
    start_position => "beginning"
    file_completed_action => "delete"
    tags => "tenable"
    codec => json
  }
}

filter {
  if "nessus" in [tags] or "tenable" in [tags] {

    date {
      match => [ "_timestamp", "UNIX" ]
      target => "@timestamp"
      remove_field => ["_timestamp"]
    }

    #If using filebeats as your source, you will need to replace the "path" field to "source"
    # Remove when scan name is included in event (current method is error prone)
    grok {
      match => { "path" => "([a-zA-Z0-9_.\-]+)_%{INT}_%{INT:history_id}_%{INT}.json$" }
      tag_on_failure => []
    }

    mutate {
      convert => { "cvss" => "float"}
      convert => { "cvss_base" => "float"}
      convert => { "cvss_temporal" => "float"}
      convert => { "cvss3" => "float"}
      convert => { "cvss3_base" => "float"}
      convert => { "cvss3_temporal" => "float"}
      convert => { "risk_number" => "integer"}
      convert => { "total_times_detected" => "integer"}
    }
  }
}

output {
  if "nessus" in [tags] or "tenable" in [tags]{
    stdout {
      codec => dots
    }
    elasticsearch {
      hosts => [ "elasticsearch:9200" ]
      index => "logstash-vulnwhisperer-%{+YYYY.MM}"
    }
  }
}