support websocket.log; idaholab#593

mmguero-dev · Oct 11, 2024 · f59ff49 · f59ff49
1 parent 5040313
commit f59ff49
Showing 1 changed file with 21 additions and 13 deletions.
diff --git a/logstash/pipelines/zeek/1069_zeek_websocket.conf b/logstash/pipelines/zeek/1069_zeek_websocket.conf
@@ -30,19 +30,27 @@ filter {
       }
     }
 
-    # zeek says it's a vector, but I'm seeing semicolon-separated as well
-    mutate { id => "mutate_split_zeek_websocket_commas"
-             split => { "[zeek_cols][client_protocols]" => ","
-                        "[zeek_cols][server_extensions]" => ","
-                        "[zeek_cols][client_extensions]" => "," } }
-    mutate { id => "mutate_split_zeek_websocket_semicolons"
-             split => { "[zeek_cols][client_protocols]" => ";"
-                        "[zeek_cols][server_extensions]" => ";"
-                        "[zeek_cols][client_extensions]" => ";" } }
-    mutate { id => "mutate_strip_zeek_websocket"
-             strip => [ "[zeek_cols][client_protocols]",
-                        "[zeek_cols][server_extensions]",
-                        "[zeek_cols][client_extensions]" ] }
+    # split some vector fields (on , and ;) a few fields and trim spaces
+    ruby {
+      id => "ruby_websocket_split_and_clean"
+      code => "
+        if (client_protocols = event.get('[zeek_cols][client_protocols]')) then
+          client_protocols = client_protocols.split(/[,;]/)
+          client_protocols.collect{ |e| e ? e.strip : e }
+          event.set('[zeek_cols][client_protocols]', client_protocols)
+        end
+        if (server_extensions = event.get('[zeek_cols][server_extensions]')) then
+          server_extensions = server_extensions.split(/[,;]/)
+          server_extensions.collect{ |e| e ? e.strip : e }
+          event.set('[zeek_cols][server_extensions]', server_extensions)
+        end
+        if (client_extensions = event.get('[zeek_cols][client_extensions]')) then
+          client_extensions = client_extensions.split(/[,;]/)
+          client_extensions.collect{ |e| e ? e.strip : e }
+          event.set('[zeek_cols][client_extensions]', client_extensions)
+        end
+      "
+    }
 
     mutate {
       id => "mutate_add_field_zeek_service_websocket"