From 43f200cb50c0267ae22988745924927aa2805542 Mon Sep 17 00:00:00 2001 From: Daryl Coburn Date: Fri, 16 Aug 2024 14:44:28 -0600 Subject: [PATCH] adjusted host_split enrich --- config/enrichments/09_host_split.conf | 113 +++++++++++--------------- 1 file changed, 49 insertions(+), 64 deletions(-) diff --git a/config/enrichments/09_host_split.conf b/config/enrichments/09_host_split.conf index b87edaca..85522b2e 100644 --- a/config/enrichments/09_host_split.conf +++ b/config/enrichments/09_host_split.conf @@ -5,122 +5,107 @@ filter { } } else { - # [client][address] [client][ip] [client][domain] + # [client][address] [client][domain] if [client][address] =~ "^.*?\..*?$" { - if [client][address] =~ "^\d+.\d+.\d+.\d+$" { + if [client][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" { grok { - match => { "[client][address]" => "(ip:)?(?<[client][ip]>.*)" } - tag_on_failure => "_clientaddress_grok_failure" + match => { "[client][address]" => "^(?<[client][tmp]>\d+.\d+.\d+.\d+)\.(?<[client][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure" } mutate { - remove_field => [ "[client][address]" ] + rename => { "[client][tmp]" => "[client][address]" } } - } - else { - mutate { - add_field => { "[client][domain]" => "%{[client][address]}" } + } else if [client][address] !~ "^\d+\.\d+\.\d+\.\d+$" { + grok { + match => { "[client][address]" => "^(?<[client][tmp]>.*?)\.(?<[client][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure_2" } mutate { - gsub => [ - "[client][address]", "^(.*?)\.(.*)$", "\1", - "[client][domain]", "^(.*?)\.(.*)$", "\2" - ] + rename => { "[client][tmp]" => "[client][address]" } } } } - # [server][address] [server][ip] [server][domain] + # [server][address] [server][domain] if [server][address] =~ "^.*?\..*?$" { - if [server][address] =~ "^\d+.\d+.\d+.\d+$" { + if [server][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" { grok { - match => { "[server][address]" => "(ip:)?(?<[server][ip]>.*)" } - tag_on_failure => "_serveraddress_grok_failure" + match => { "[server][address]" => "^(?<[server][tmp]>\d+.\d+.\d+.\d+)\.(?<[server][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure" } mutate { - remove_field => [ "[server][address]" ] + rename => { "[server][tmp]" => "[server][address]" } } - } - else { - mutate { - add_field => { "[server][domain]" => "%{[server][address]}" } + } else if [server][address] !~ "^\d+\.\d+\.\d+\.\d+$" { + grok { + match => { "[server][address]" => "^(?<[server][tmp]>.*?)\.(?<[server][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure_2" } mutate { - gsub => [ - "[server][address]", "^(.*?)\.(.*)$", "\1", - "[server][domain]", "^(.*?)\.(.*)$", "\2" - ] + rename => { "[server][tmp]" => "[server][address]" } } } } - # [source][address] [source][ip] [source][domain] + # [source][address] [source][domain] if [source][address] =~ "^.*?\..*?$" { - if [source][address] =~ "^\d+.\d+.\d+.\d+$" { + if [source][address] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" { grok { - match => { "[source][address]" => "(ip:)?(?<[source][ip]>.*)" } - tag_on_failure => "_sourceaddress_grok_failure" + match => { "[source][address]" => "^(?<[source][tmp]>\d+.\d+.\d+.\d+)\.(?<[source][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure" } mutate { - remove_field => [ "[source][address]" ] + rename => { "[source][tmp]" => "[source][address]" } } - } - else { - mutate { - add_field => { "[source][domain]" => "%{[source][address]}" } + } else if [source][address] !~ "^\d+\.\d+\.\d+\.\d+$" { + grok { + match => { "[source][address]" => "^(?<[source][tmp]>.*?)\.(?<[source][domain]>.*?)$" } + tag_on_failure => "_logsourcesourcename_grok_failure_2" } mutate { - gsub => [ - "[source][address]", "^(.*?)\.(.*)$", "\1", - "[source][domain]", "^(.*?)\.(.*)$", "\2" - ] + rename => { "[source][tmp]" => "[source][address]" } } } } - # [host][hostname] [host][ip] [host][domain] + # [host][hostname] [host][domain] if [host][hostname] =~ "^.*?\..*?$" { - if [host][hostname] =~ "\d+.\d+.\d+.\d+" { + if [host][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" { grok { - match => { "[host][hostname]" => "(ip:)?(?<[host][ip]>.*)" } - tag_on_failure => "_hostname_grok_failure" + match => { "[host][hostname]" => "^(?<[host][tmp]>\d+.\d+.\d+.\d+)\.(?<[host][domain]>.*?)$" } + tag_on_failure => "_logsourcehostname_grok_failure" } mutate { - remove_field => [ "[host][hostname]" ] + rename => { "[host][tmp]" => "[host][hostname]" } } - } - else { - mutate { - add_field => { "[host][domain]" => "%{[host][hostname]}" } + } else if [host][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" { + grok { + match => { "[host][hostname]" => "^(?<[host][tmp]>.*?)\.(?<[host][domain]>.*?)$" } + tag_on_failure => "_logsourcehostname_grok_failure_2" } mutate { - gsub => [ - "[host][hostname]", "^(.*?)\.(.*)$", "\1", - "[host][domain]", "^(.*?)\.(.*)$", "\2" - ] + rename => { "[host][tmp]" => "[host][hostname]" } } } } - # [log][source][hostname] [log][source][ip] [log][source][domain] + # [log][source][hostname] [log][source][domain] if [log][source][hostname] =~ "^.*?\..*?$" { - if [log][source][hostname] =~ "\d+.\d+.\d+.\d+" { + if [log][source][hostname] =~ "^\d+\.\d+\.\d+\.\d+\..*?$" { grok { - match => { "[log][source][hostname]" => "(ip:)?(?<[log][source][ip]>.*)" } + match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>\d+.\d+.\d+.\d+)\.(?<[log][source][domain]>.*?)$" } tag_on_failure => "_logsourcehostname_grok_failure" } mutate { - remove_field => [ "[log][source][hostname]" ] + rename => { "[log][source][tmp]" => "[log][source][hostname]" } } - } - else { - mutate { - add_field => { "[log][source][domain]" => "%{[log][source][hostname]}" } + } else if [log][source][hostname] !~ "^\d+\.\d+\.\d+\.\d+$" { + grok { + match => { "[log][source][hostname]" => "^(?<[log][source][tmp]>.*?)\.(?<[log][source][domain]>.*?)$" } + tag_on_failure => "_logsourcehostname_grok_failure_2" } mutate { - gsub => [ - "[log][source][hostname]", "^(.*?)\.(.*)$", "\1", - "[log][source][domain]", "^(.*?)\.(.*)$", "\2" - ] + rename => { "[log][source][tmp]" => "[log][source][hostname]" } } } }