From 8fb3bd821b6fd261dfc46dd26968f0d0356d721e Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Thu, 2 May 2024 15:32:43 -0500
Subject: [PATCH 1/2] added eveevent.original to skyhigh log souces

---
 config/processors/api_security_skyhigh.scp.conf    | 1 +
 config/processors/syslog_security_skyhigh.swg.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/processors/api_security_skyhigh.scp.conf b/config/processors/api_security_skyhigh.scp.conf
index 17c4f8d5..f76fc625 100644
--- a/config/processors/api_security_skyhigh.scp.conf
+++ b/config/processors/api_security_skyhigh.scp.conf
@@ -10,6 +10,7 @@ filter {
   mutate {
     add_field => { "[event][module]" => "skyhigh" }
     add_field => { "[event][dataset]" => "skyhigh.scp" }
+    copy => { "message => "[event][original]" }
     strip => ["message"]
   }
   if ![message] or [message] == "" {
diff --git a/config/processors/syslog_security_skyhigh.swg.conf b/config/processors/syslog_security_skyhigh.swg.conf
index 8dbdac94..3fda2dcf 100644
--- a/config/processors/syslog_security_skyhigh.swg.conf
+++ b/config/processors/syslog_security_skyhigh.swg.conf
@@ -11,6 +11,7 @@ filter {
   mutate {
     add_field => { "[event][module]" => "skyhigh" }
     add_field => { "[event][dataset]" => "skyhigh.swg" }
+    copy => { "message => "[event][original]" }
   }
   grok {
     tag_on_failure => "_parsefailure_header"

From 9d8b027db9192b8c008240ac4c53748972c90815 Mon Sep 17 00:00:00 2001
From: Brian Grabau <brian_grabau@cargill.com>
Date: Thu, 2 May 2024 15:43:49 -0500
Subject: [PATCH 2/2] added missing quoate

---
 config/processors/api_security_skyhigh.scp.conf    | 2 +-
 config/processors/syslog_security_skyhigh.swg.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/processors/api_security_skyhigh.scp.conf b/config/processors/api_security_skyhigh.scp.conf
index f76fc625..0ff069ce 100644
--- a/config/processors/api_security_skyhigh.scp.conf
+++ b/config/processors/api_security_skyhigh.scp.conf
@@ -10,7 +10,7 @@ filter {
   mutate {
     add_field => { "[event][module]" => "skyhigh" }
     add_field => { "[event][dataset]" => "skyhigh.scp" }
-    copy => { "message => "[event][original]" }
+    copy => { "message" => "[event][original]" }
     strip => ["message"]
   }
   if ![message] or [message] == "" {
diff --git a/config/processors/syslog_security_skyhigh.swg.conf b/config/processors/syslog_security_skyhigh.swg.conf
index 3fda2dcf..724c86ee 100644
--- a/config/processors/syslog_security_skyhigh.swg.conf
+++ b/config/processors/syslog_security_skyhigh.swg.conf
@@ -11,7 +11,7 @@ filter {
   mutate {
     add_field => { "[event][module]" => "skyhigh" }
     add_field => { "[event][dataset]" => "skyhigh.swg" }
-    copy => { "message => "[event][original]" }
+    copy => { "message" => "[event][original]" }
   }
   grok {
     tag_on_failure => "_parsefailure_header"