forked from alias454/graylog-zeek-content-pack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bro_http_graylog_pipeline.txt
35 lines (34 loc) · 1.1 KB
/
bro_http_graylog_pipeline.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rule "Extract bro_http log fields"
when
has_field("application_name") &&
contains(value: to_string($message.application_name), search: "bro_http", ignore_case: true)
then
let m = split("\\|", to_string($message.message));
set_field("ts", m[0]);
set_field("uid", m[1]);
set_field("id_orig_h", m[2]);
set_field("id_orig_p", to_long(m[3]));
set_field("id_resp_h", m[4]);
set_field("id_resp_p", to_long(m[5]));
set_field("trans_depth", m[6]);
set_field("method", m[7]);
set_field("host", m[8]);
set_field("uri", m[9]);
set_field("referrer", m[10]);
set_field("user_agent", m[11]);
set_field("request_body_len", m[12]);
set_field("response_body_len", m[13]);
set_field("status_code", m[14]);
set_field("status_msg", m[15]);
set_field("info_code", m[16]);
set_field("info_msg", m[17]);
set_field("filename", m[18]);
set_field("tags", m[19]);
set_field("username", m[20]);
set_field("password", m[21]);
set_field("proxied", m[22]);
set_field("orig_fuids", m[23]);
set_field("orig_mime_types", m[24]);
set_field("resp_fuids", m[25]);
set_field("resp_mime_types", m[26]);
end