securityonion-elastic: update parsers for Zeek 3

[dougburks]

As we migrate to Zeek 3, some log formats have changed, so we need to update our parsers accordingly:

• remove orig_cc,resp_cc,original_country_code, and respond_country_code from conn (https://github.com/Security-Onion-Solutions/security-onion/issues/1630)
• add origin to http
• remove dropped from notice
• change remote_ip to tunnel_client (string) in radius
• add client_channels to rdp

This also means that we need to add the following fields to the template:

• client_channels
• origin
• tunnel_client

Reference the Zeek 3.0.0 section here: https://github.com/zeek/zeek/blob/release/NEWS

We need to make sure all 3 parsing pipelines are updated and tested:

• traditional TSV via Logstash parsing
• JSON via Logstash parsing
• JSON via Elasticsearch ingest node parsing

[defensivedepth]

JSON via Logstash parsing -

---

[dougburks]

Hmm...client_channels should have been added to logstash_template.json: https://github.com/Security-Onion-Solutions/securityonion-elastic/commit/6f2384f223b32d39721f8fec84dcfda74e44425b

Perhaps you're looking at an existing index that was created with the old template and the next day's index will be created with the new template?

[dougburks]

Looking into this further, we might need to update the Kibana Index Pattern for *:logstash-*.

[dougburks]

securityonion-elastic - 20190510-1ubuntu1securityonion83 is now available at ppa:securityonion/test and adds client_channels, origin, and tunnel_client to the Kibana Index Pattern.

[weslambert]

Looks good 👍

[dougburks]

Published: https://blog.securityonion.net/2020/02/zeek-301-elastic-686-and-cyberchef-9120.html