From 09735fd6cf25d9985edae3761f8341c3664ae72c Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Mon, 26 Oct 2020 12:21:07 -0500 Subject: [PATCH] Fix zeek connection pipeline (#22151) - connection state for rejected is 'REJ' Closes #22149 (cherry picked from commit 5469c46c82da8472a22dce446a48ef2d1827c0db) --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 62d1ee45f86..34b43ab3ff6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -310,6 +310,7 @@ field. You can revert this change by configuring tags for the module and omittin - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] - Fix checkpoint module when logs contain time field. {pull}20567[20567] - Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382] +- Fix incorrect connection state mapping in zeek connection pipeline. {pull}22151[22151] {issue}22149[22149] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index 9cd654edd51..c25c9cee6e5 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -115,7 +115,7 @@ processors: - connection - start - end - REG: + REJ: conn_str: "Connection attempt rejected." types: - connection