Fix field alignment for syncplicity

Cargill · Oct 22, 2024 · 82df7b7 · 82df7b7
1 parent 488f4c5
commit 82df7b7
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/config/processors/api_audit_syncplicity.usr_report.conf b/config/processors/api_audit_syncplicity.usr_report.conf
@@ -12,20 +12,17 @@ filter {
     add_field => { "[event][module]" => "syncplicity" }
     add_field => { "[event][dataset]" => "syncplicity.user_logs" }
   }
-
-  #  -Header "Syncplicity Folder: Name", "Syncplicity Folder: GUID", "Syncplicity Folder: Owner", "Syncplicity Folder: Owner Email", "Syncplicity Folder: Owner Group", "Folder: Path", "Folder: Name", "File: Name", "Action: Type", "Shared Link: Type", "Shared Link: Outcome", "Action: Date and Time: UTC", "Action: Date and Time: UTC_1", "Action By: User Name", "Action By: Email", "Action By: Device Name", "Action By: IP Address", "On Behalf Of: User Name", "On Behalf Of: Email", "Folder Shared/Unshared: Group Name", "Folder Shared/Unshared: User Name", "Folder Shared/Unshared: Email", "Folder Shared/Unshared: Permissions", "Shared Link: Group Name", "Shared Link: User Name", "Shared Link: Email", "Tags", "Lock: Owner Name", "Lock: Owner Email", "Lock: Duration", "Lock: Expiration Date and Time: UTC"
-
   csv {
     source => "message"
-    columns => ["[file][directory]","[event][id]","[source][user][name]","[source][user][email]","[group][name]","[file][path]","[file][type]","[file][name]","[event][action]","[rule][category]","[rule][ruleset]","drop_field","[event][start]","[user][full_name]","[user][email]","[host][hostname]","[source][ip]","drop_field_2","[client][user][email]","drop_field_3","drop_field_4","drop_field_5","[rule][name]","[file][group]","[destination][user][name]","[destination][user][email]","drop_field_6","drop_field_7","drop_field_8","[event][duration]","[event][end]"]
+    columns => ["[file][directory]","[event][id]","[source][user][name]","[source][user][email]","[group][name]","[file][path]","[file][type]","[file][name]"                       ,"[event][action]"  ,"[rule][category]"         ,"[rule][ruleset]","drop_field","[event][start]"                       ,"[user][full_name]","[user][email]"     ,"[host][hostname]","[source][ip]","drop_field_2","[client][user][email]","drop_field_3","drop_field_4","drop_field_5","drop_field_9","[rule][name]","[file][group]","[destination][user][name]","[destination][user][email]","drop_field_6","drop_field_7","drop_field_8","[event][duration]","[event][end]"]
     convert => {
       "[event][duration]" => "integer"
     }
     skip_empty_columns => true
     skip_empty_rows => true
   }
   mutate {
-    remove_field => ["msg","drop_field","drop_field_2","drop_field_3","drop_field_4","drop_field_5","drop_field_6","drop_field_7","drop_field_8"]
+    remove_field => ["msg","drop_field","drop_field_2","drop_field_3","drop_field_4","drop_field_5","drop_field_6","drop_field_7","drop_field_8", "drop_field_9"]
   }
   date {
     match => [ "[event][start]", "yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss.SSS","MMM dd HH:mm:ss.SSS", "MMM dd HH:mm:ss", "dd-MM-yyyy HH:mm"]