Closed dougburks closed 4 years ago
JSON via Logstash parsing -
Hmm...client_channels
should have been added to logstash_template.json:
https://github.com/Security-Onion-Solutions/securityonion-elastic/commit/6f2384f223b32d39721f8fec84dcfda74e44425b
Perhaps you're looking at an existing index that was created with the old template and the next day's index will be created with the new template?
Looking into this further, we might need to update the Kibana Index Pattern for *:logstash-*
.
securityonion-elastic - 20190510-1ubuntu1securityonion83
is now available at ppa:securityonion/test and adds client_channels
, origin
, and tunnel_client
to the Kibana Index Pattern.
Looks good 👍
As we migrate to Zeek 3, some log formats have changed, so we need to update our parsers accordingly:
orig_cc
,resp_cc
,original_country_code
, andrespond_country_code
fromconn
(https://github.com/Security-Onion-Solutions/security-onion/issues/1630)origin
tohttp
dropped
fromnotice
remote_ip
totunnel_client
(string) inradius
client_channels
tordp
This also means that we need to add the following fields to the template:
Reference the Zeek 3.0.0 section here: https://github.com/zeek/zeek/blob/release/NEWS
We need to make sure all 3 parsing pipelines are updated and tested: