bro_ssl_graylog_pipeline.txt

rule "Extract bro_ssl log fields"
when
  has_field("application_name") &&
  contains(value: to_string($message.application_name), search: "bro_ssl", ignore_case: true)
then
  let m = split("\\|", to_string($message.message));

  set_field("ts", to_double(m[0]));
  set_field("uid", m[1]);
  set_field("id_orig_h", m[2]);
  set_field("id_orig_p", to_long(m[3]));
  set_field("id_resp_h", m[4]);
  set_field("id_resp_p", to_long(m[5]));
  set_field("version", m[6]);
  set_field("cipher", m[7]);
  set_field("curve", m[8]);
  set_field("server_name", m[9]);
  set_field("resumed", m[10]);
  set_field("last_alert", m[11]);
  set_field("next_protocol", m[12]);
  set_field("established", m[13]);
  set_field("cert_chain_fuids", m[14]);
  set_field("client_cert_chain_fuids", m[15]);
  set_field("subject", m[16]);
  set_field("issuer", m[17]);
  set_field("client_subject", m[18]);
  set_field("client_issuer", m[19]);
  set_field("validation_status", m[20]);
end