diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index d96ac7d44..8e5593e43 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -1692,7 +1692,7 @@ filter { id => "dissect_zeek_ja4ssh" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][id]} %{[zeek_cols][ja4ssh]} %{[zeek_cols][is_ssh]} %{[zeek_cols][orig_pack_len]} %{[zeek_cols][resp_pack_len]} %{[zeek_cols][orig_ack]} %{[zeek_cols][resp_ack]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" } } if ("_dissectfailure" in [tags]) { @@ -1703,7 +1703,7 @@ filter { } ruby { id => "ruby_zip_zeek_ja4ssh" - init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'id', 'ja4ssh', 'is_ssh', 'orig_pack_len', 'resp_pack_len', 'orig_ack', 'resp_ack' ]" + init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" } } diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 707c679f0..d5a9b4466 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -911,13 +911,6 @@ filter { } } - mutate { id => "mutate_remove_fields_zeek_ja4ssh" - remove_field => [ "[zeek][ja4ssh][is_ssh]", - "[zeek][ja4ssh][orig_pack_len]", - "[zeek][ja4ssh][resp_pack_len]", - "[zeek][ja4ssh][orig_ack]", - "[zeek][ja4ssh][resp_ack]" ] } - } else if ([log_source] == "kerberos") { ############################################################################################################################# # kerberos.log specific logic