Indexme override rule?

[priamai]

Describe the problem

I am not sure I quite understand the logstash pipeline, I have a few points that should be clarified:

• 0098-all-filter.conf: this renames some Kafka metadata information but not all inputs are coming from Kafka (some are UDP and Filebeat for example), is this intentional?
• 11-helk-indexme.json: this has order 11 -> this should match when the output has no schema?
• 71-helk-indexme-zeek.json: this has also order 11 -> this should match when the event log is zeek temporary not in schema?

Why the last two have the same order 11? The 71 rule will override the 11 rule. Is this intentional?

[Cyb3rWard0g]

Hello @priamai !

First i would like to say thank you very much for helping us troubleshoot some of the current issues. I disconnected a little bit at the end of the year and then had a busy January. thank you for your patience.

Regarding the logstash pipeline,

0098-all-filter.cong

• If it comes from kafka, then this applies: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/pipeline/0098-all-filter.conf#L13-L20
• any other input https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-logstash/pipeline/0098-all-filter.conf#L21
• Yes, that is on purpose.

11-helk-indexme.json: and *71-helk-indexme-zeek.json

• whenever @neu5ron you have some time, would you mind sharing your thoughts on this one? Thank you in advance :)

[priamai]

Hi @Cyb3rWard0g , thanks for the clarification and welcome back!

[neu5ron]

@priamai it's to handle a specific issue - this file will be overwritten eventually when I merged the whole OSSEM I built for zeek. let me know if have any other questions