From 05e0c0f24904e84eff0d033a665e7f368fd84acd Mon Sep 17 00:00:00 2001 From: xander33 <34045167+xander33@users.noreply.github.com> Date: Tue, 28 Jan 2020 10:00:13 -0600 Subject: [PATCH 1/2] Update pipeline.json --- x-pack/filebeat/module/zeek/weird/ingest/pipeline.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json index a7f5d85e211..1e6bc224774 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json @@ -28,13 +28,15 @@ { "set": { "field": "source.ip", - "value": "{{source.address}}" + "value": "{{source.address}}", + "if": "ctx.source.address != null" } }, { "set": { "field": "destination.ip", - "value": "{{destination.address}}" + "value": "{{destination.address}}", + "if": "ctx.destination.address != null" } } ], From 52f38c4f93f7733aa6e8525688eb9de3bf4230cc Mon Sep 17 00:00:00 2001 From: xander33 <34045167+xander33@users.noreply.github.com> Date: Fri, 31 Jan 2020 16:25:10 -0600 Subject: [PATCH 2/2] Fix zeek weird pipeline --- CHANGELOG.next.asciidoc | 1 + .../module/zeek/weird/ingest/pipeline.json | 4 ++-- .../module/zeek/weird/test/weird-json.log | 1 + .../zeek/weird/test/weird-json.log-expected.json | 15 +++++++++++++++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 28366c77271..807faad2451 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] - Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] - Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] +- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json index 1e6bc224774..a97cdeb22bb 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.json @@ -29,14 +29,14 @@ "set": { "field": "source.ip", "value": "{{source.address}}", - "if": "ctx.source.address != null" + "if": "ctx?.source?.address != null" } }, { "set": { "field": "destination.ip", "value": "{{destination.address}}", - "if": "ctx.destination.address != null" + "if": "ctx?.destination?.address != null" } } ], diff --git a/x-pack/filebeat/module/zeek/weird/test/weird-json.log b/x-pack/filebeat/module/zeek/weird/test/weird-json.log index 0441a447ecb..5e49a4b9849 100644 --- a/x-pack/filebeat/module/zeek/weird/test/weird-json.log +++ b/x-pack/filebeat/module/zeek/weird/test/weird-json.log @@ -1 +1,2 @@ {"ts":1543877999.99354,"uid":"C1ralPp062bkwWt4e","id.orig_h":"192.168.1.1","id.orig_p":64521,"id.resp_h":"192.168.1.2","id.resp_p":53,"name":"dns_unmatched_reply","notice":false,"peer":"worker-6"} +{"ts":1580227259.342809,"name":"non_ip_packet_in_ethernet","notice":false,"peer":"ens3f1-4"} diff --git a/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json b/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json index cbb5de6ec56..f1fdb20678f 100644 --- a/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json @@ -21,5 +21,20 @@ "zeek.weird.name": "dns_unmatched_reply", "zeek.weird.notice": false, "zeek.weird.peer": "worker-6" + }, + { + "@timestamp": "2020-01-28T16:00:59.342Z", + "event.dataset": "zeek.weird", + "event.module": "zeek", + "fileset.name": "weird", + "input.type": "log", + "log.offset": 197, + "service.type": "zeek", + "tags": [ + "zeek.weird" + ], + "zeek.weird.name": "non_ip_packet_in_ethernet", + "zeek.weird.notice": false, + "zeek.weird.peer": "ens3f1-4" } ] \ No newline at end of file