diff --git a/config/processors/api_security_proofpoint.pod_email_gateway.conf b/config/processors/api_security_proofpoint.pod_email_gateway.conf index 8949e9a2..bd33067a 100644 --- a/config/processors/api_security_proofpoint.pod_email_gateway.conf +++ b/config/processors/api_security_proofpoint.pod_email_gateway.conf @@ -27,7 +27,7 @@ filter { } # lowercase field names ruby { - path => "${LOGSTASH_HOME}\config\lower.rb" + path => "${LOGSTASH_HOME}/config/lower.rb" tag_on_exception => "_lowecase_ruby_block" } # [file][mime_type] diff --git a/config/processors/event_hub_audit_azure.event_hub_securityalert.conf b/config/processors/event_hub_audit_azure.event_hub_securityalert.conf index 761a2727..9ecfbd5a 100644 --- a/config/processors/event_hub_audit_azure.event_hub_securityalert.conf +++ b/config/processors/event_hub_audit_azure.event_hub_securityalert.conf @@ -51,42 +51,7 @@ filter { } # lowercase field names ruby { - init => '@ignore = [ "path", "@timestamp", "@metadata", "host", "@version" ]' - code => ' - def processArray(a) - newArray = [] - a.each { |x| - newArray << processObject(x) - } - newArray - end - def processHash(h) - newHash = {} - h.each { |k, v| - newHash[k.downcase] = processObject(v) - } - newHash - end - def processObject(v) - if v.kind_of?(Array) - processArray(v) - elsif v.kind_of?(Hash) - processHash(v) - else - v - end - end - def filter(i_event) - i_event.to_hash.each { |k, v| - unless @ignore.include?(k) - i_event.remove(k) - i_event.set(k.downcase, processObject(v)) - end - } - [i_event] - end - filter(event) - ' + path => "${LOGSTASH_HOME}/config/lower.rb" tag_on_exception => "_lowecase_ruby_block" } mutate {