-
Notifications
You must be signed in to change notification settings - Fork 444
/
default.yml
147 lines (147 loc) · 4.99 KB
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
description: Pipeline for processing Teleport audit logs
processors:
# Process the message field.
- set:
field: ecs.version
tag: set_ecs_version
value: 8.11.0
- rename:
field: message
target_field: event.original
tag: rename_message
ignore_missing: true
if: ctx.event?.original == null
- remove:
field: message
ignore_missing: true
tag: remove_message
if: ctx.event?.original != null
- json:
field: event.original
tag: json_original
target_field: teleport.audit
# Metadata is a common event metadata.
# All of these fields are mapped to ECS fields.
- date:
field: teleport.audit.time
target_field: '@timestamp'
formats:
- ISO8601
if: ctx.teleport?.audit?.time != null
- remove:
field: teleport.audit.time
ignore_missing: true
- rename:
field: teleport.audit.event
target_field: event.action
ignore_missing: true
- rename:
field: teleport.audit.code
target_field: event.code
ignore_missing: true
- rename:
field: teleport.audit.uid
target_field: event.id
ignore_missing: true
- rename:
field: teleport.audit.ei
target_field: event.sequence
ignore_missing: true
# Add the event categorization.
- pipeline:
name: '{{ IngestPipeline "event-categories" }}'
ignore_failure: true
# Process most of the field groups.
- pipeline:
name: '{{ IngestPipeline "event-groups" }}'
ignore_failure: true
# App session request related metadata
# The HTTP-related fields are used for other events as well. They work as catch-all
# fields and should be at the end of the group processing.
- rename:
field: teleport.audit.method
target_field: http.request.method
ignore_missing: true
- rename:
field: teleport.audit.path
target_field: url.path
ignore_missing: true
ignore_failure: true
- rename:
field: teleport.audit.raw_query
target_field: url.query
ignore_missing: true
ignore_failure: true
- rename:
field: teleport.audit.cluster_name
target_field: orchestrator.cluster.name
ignore_missing: true
ignore_failure: true
- remove:
field: teleport.audit.cluster_name
ignore_missing: true
- rename:
field: teleport.audit.name
target_field: orchestrator.resource.name
ignore_missing: true
- script:
description: Convert the body if it's base64-encoded.
tag: script_decode_body_base64
lang: painless
if: ctx.teleport?.audit?.body != null
source: |
ctx.teleport.audit.body = ctx.teleport.audit.body.decodeBase64();
ignore_failure: true
- rename:
description: Move the body field directly if it's already a JSON or cannot be parsed.
tag: move_body_json
field: teleport.audit.body
target_field: teleport.audit.database.request_body
ignore_missing: true
- set:
field: http.request.body.content
value: '{{{teleport.audit.database.request_body}}}'
if: ctx.teleport?.audit?.database?.request_body != null && (ctx.teleport?.audit?.database?.request_body instanceof String)
- json:
description: Try to parse the body field directly as JSON.
field: teleport.audit.database.request_body
tag: json_http_request_body
ignore_failure: true
if: ctx.teleport?.audit?.database?.request_body != null
- rename:
field: teleport.audit.status_code
target_field: http.response.status_code
ignore_missing: true
- append:
field: message
value:
- '{{{teleport.audit.error}}}'
allow_duplicates: false
if: ctx.teleport?.audit?.error != null
- remove:
field: teleport.audit.error
ignore_missing: true
# Enrich the fields.
- pipeline:
name: '{{ IngestPipeline "event-enrich" }}'
ignore_failure: true
# Final steps.
- remove:
field: event.original
tag: remove_original_event
if: ctx?.tags == null || !(ctx.tags.contains("preserve_original_event"))
ignore_failure: true
ignore_missing: true
- script:
description: Drops null/empty values recursively.
tag: script_drop_null_empty_values
lang: painless
source: "boolean dropEmptyFields(Object object) {\n if (object == null || object == \"\") {\n return true;\n } else if (object instanceof Map) {\n ((Map) object).values().removeIf(value -> dropEmptyFields(value));\n return (((Map) object).size() == 0);\n } else if (object instanceof List) {\n ((List) object).removeIf(value -> dropEmptyFields(value));\n return (((List) object).length == 0);\n }\n return false;\n}\ndropEmptyFields(ctx);\n"
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- set:
field: event.kind
value: pipeline_error