Skip to content

Commit 8fce110

Browse files
marc-grmarc-gr
authored
[Filebeat][zeek] Map new x509 fields for ssl module (elastic#20927)
* Map new x509 fields for ssl module * Add changelog entry
1 parent 997df18 commit 8fce110

3 files changed

Lines changed: 113 additions & 0 deletions

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -552,6 +552,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
552552
- Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455]
553553
- Convert httpjson to v2 input {pull}20226[20226]
554554
- Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
555+
- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
555556

556557
*Heartbeat*
557558

x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,26 +76,50 @@ processors:
7676
field: zeek.ssl.server.issuer.C
7777
target_field: zeek.ssl.server.issuer.country
7878
ignore_missing: true
79+
- set:
80+
field: tls.server.x509.issuer.country
81+
value: '{{zeek.ssl.server.issuer.country}}'
82+
ignore_empty_value: true
7983
- rename:
8084
field: zeek.ssl.server.issuer.CN
8185
target_field: zeek.ssl.server.issuer.common_name
8286
ignore_missing: true
87+
- set:
88+
field: tls.server.x509.issuer.common_name
89+
value: '{{zeek.ssl.server.issuer.common_name}}'
90+
ignore_empty_value: true
8391
- rename:
8492
field: zeek.ssl.server.issuer.L
8593
target_field: zeek.ssl.server.issuer.locality
8694
ignore_missing: true
95+
- set:
96+
field: tls.server.x509.issuer.locality
97+
value: '{{zeek.ssl.server.issuer.locality}}'
98+
ignore_empty_value: true
8799
- rename:
88100
field: zeek.ssl.server.issuer.O
89101
target_field: zeek.ssl.server.issuer.organization
90102
ignore_missing: true
103+
- set:
104+
field: tls.server.x509.issuer.organization
105+
value: '{{zeek.ssl.server.issuer.organization}}'
106+
ignore_empty_value: true
91107
- rename:
92108
field: zeek.ssl.server.issuer.OU
93109
target_field: zeek.ssl.server.issuer.organizational_unit
94110
ignore_missing: true
111+
- set:
112+
field: tls.server.x509.issuer.organizational_unit
113+
value: '{{zeek.ssl.server.issuer.organizational_unit}}'
114+
ignore_empty_value: true
95115
- rename:
96116
field: zeek.ssl.server.issuer.ST
97117
target_field: zeek.ssl.server.issuer.state
98118
ignore_missing: true
119+
- set:
120+
field: tls.server.x509.issuer.state_or_province
121+
value: '{{zeek.ssl.server.issuer.state}}'
122+
ignore_empty_value: true
99123
- gsub:
100124
field: zeek.ssl.subject
101125
pattern: \\,
@@ -114,26 +138,50 @@ processors:
114138
field: zeek.ssl.server.subject.C
115139
target_field: zeek.ssl.server.subject.country
116140
ignore_missing: true
141+
- set:
142+
field: tls.server.x509.subject.country
143+
value: '{{zeek.ssl.server.subject.country}}'
144+
ignore_empty_value: true
117145
- rename:
118146
field: zeek.ssl.server.subject.CN
119147
target_field: zeek.ssl.server.subject.common_name
120148
ignore_missing: true
149+
- set:
150+
field: tls.server.x509.subject.common_name
151+
value: '{{zeek.ssl.server.subject.common_name}}'
152+
ignore_empty_value: true
121153
- rename:
122154
field: zeek.ssl.server.subject.L
123155
target_field: zeek.ssl.server.subject.locality
124156
ignore_missing: true
157+
- set:
158+
field: tls.server.x509.subject.locality
159+
value: '{{zeek.ssl.server.subject.locality}}'
160+
ignore_empty_value: true
125161
- rename:
126162
field: zeek.ssl.server.subject.O
127163
target_field: zeek.ssl.server.subject.organization
128164
ignore_missing: true
165+
- set:
166+
field: tls.server.x509.subject.organization
167+
value: '{{zeek.ssl.server.subject.organization}}'
168+
ignore_empty_value: true
129169
- rename:
130170
field: zeek.ssl.server.subject.OU
131171
target_field: zeek.ssl.server.subject.organizational_unit
132172
ignore_missing: true
173+
- set:
174+
field: tls.server.x509.subject.organizational_unit
175+
value: '{{zeek.ssl.server.subject.organizational_unit}}'
176+
ignore_empty_value: true
133177
- rename:
134178
field: zeek.ssl.server.subject.ST
135179
target_field: zeek.ssl.server.subject.state
136180
ignore_missing: true
181+
- set:
182+
field: tls.server.x509.subject.state_or_province
183+
value: '{{zeek.ssl.server.subject.state}}'
184+
ignore_empty_value: true
137185
- gsub:
138186
field: zeek.ssl.client_issuer
139187
pattern: \\,
@@ -153,26 +201,50 @@ processors:
153201
field: zeek.ssl.client.issuer.C
154202
target_field: zeek.ssl.client.issuer.country
155203
ignore_missing: true
204+
- set:
205+
field: tls.client.x509.issuer.country
206+
value: '{{zeek.ssl.client.issuer.country}}'
207+
ignore_empty_value: true
156208
- rename:
157209
field: zeek.ssl.client.issuer.CN
158210
target_field: zeek.ssl.client.issuer.common_name
159211
ignore_missing: true
212+
- set:
213+
field: tls.client.x509.issuer.common_name
214+
value: '{{zeek.ssl.client.issuer.common_name}}'
215+
ignore_empty_value: true
160216
- rename:
161217
field: zeek.ssl.client.issuer.L
162218
target_field: zeek.ssl.client.issuer.locality
163219
ignore_missing: true
220+
- set:
221+
field: tls.client.x509.issuer.locality
222+
value: '{{zeek.ssl.client.issuer.locality}}'
223+
ignore_empty_value: true
164224
- rename:
165225
field: zeek.ssl.client.issuer.O
166226
target_field: zeek.ssl.client.issuer.organization
167227
ignore_missing: true
228+
- set:
229+
field: tls.client.x509.issuer.organization
230+
value: '{{zeek.ssl.client.issuer.organization}}'
231+
ignore_empty_value: true
168232
- rename:
169233
field: zeek.ssl.client.issuer.OU
170234
target_field: zeek.ssl.client.issuer.organizational_unit
171235
ignore_missing: true
236+
- set:
237+
field: tls.client.x509.issuer.organizational_unit
238+
value: '{{zeek.ssl.client.issuer.organizational_unit}}'
239+
ignore_empty_value: true
172240
- rename:
173241
field: zeek.ssl.client.issuer.ST
174242
target_field: zeek.ssl.client.issuer.state
175243
ignore_missing: true
244+
- set:
245+
field: tls.client.x509.issuer.state_or_province
246+
value: '{{zeek.ssl.client.issuer.state}}'
247+
ignore_empty_value: true
176248
- gsub:
177249
field: zeek.ssl.client_subject
178250
pattern: \\,
@@ -191,26 +263,50 @@ processors:
191263
field: zeek.ssl.client.subject.C
192264
target_field: zeek.ssl.client.subject.country
193265
ignore_missing: true
266+
- set:
267+
field: tls.client.x509.subject.country
268+
value: '{{zeek.ssl.client.subject.country}}'
269+
ignore_empty_value: true
194270
- rename:
195271
field: zeek.ssl.client.subject.CN
196272
target_field: zeek.ssl.client.subject.common_name
197273
ignore_missing: true
274+
- set:
275+
field: tls.client.x509.subject.common_name
276+
value: '{{zeek.ssl.client.subject.common_name}}'
277+
ignore_empty_value: true
198278
- rename:
199279
field: zeek.ssl.client.subject.L
200280
target_field: zeek.ssl.client.subject.locality
201281
ignore_missing: true
282+
- set:
283+
field: tls.client.x509.subject.locality
284+
value: '{{zeek.ssl.client.subject.locality}}'
285+
ignore_empty_value: true
202286
- rename:
203287
field: zeek.ssl.client.subject.O
204288
target_field: zeek.ssl.client.subject.organization
205289
ignore_missing: true
290+
- set:
291+
field: tls.client.x509.subject.organization
292+
value: '{{zeek.ssl.client.subject.organization}}'
293+
ignore_empty_value: true
206294
- rename:
207295
field: zeek.ssl.client.subject.OU
208296
target_field: zeek.ssl.client.subject.organizational_unit
209297
ignore_missing: true
298+
- set:
299+
field: tls.client.x509.subject.organizational_unit
300+
value: '{{zeek.ssl.client.subject.organizational_unit}}'
301+
ignore_empty_value: true
210302
- rename:
211303
field: zeek.ssl.client.subject.ST
212304
target_field: zeek.ssl.client.subject.state
213305
ignore_missing: true
306+
- set:
307+
field: tls.client.x509.subject.state_or_province
308+
value: '{{zeek.ssl.client.subject.state}}'
309+
ignore_empty_value: true
214310
- set:
215311
field: tls.cipher
216312
value: '{{zeek.ssl.cipher}}'

x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,14 @@
4747
"tls.established": true,
4848
"tls.resumed": false,
4949
"tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
50+
"tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA",
51+
"tls.server.x509.issuer.country": "US",
52+
"tls.server.x509.issuer.organization": "DigiCert Inc",
53+
"tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
54+
"tls.server.x509.subject.country": "US",
55+
"tls.server.x509.subject.locality": "Mountain View",
56+
"tls.server.x509.subject.organization": "Elasticsearch Inc.",
57+
"tls.server.x509.subject.state_or_province": "California",
5058
"tls.version": "1.2",
5159
"tls.version_protocol": "tls",
5260
"zeek.session_id": "CAOvs1BMFCX2Eh0Y3",
@@ -119,6 +127,14 @@
119127
"tls.established": true,
120128
"tls.resumed": false,
121129
"tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
130+
"tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA",
131+
"tls.server.x509.issuer.country": "US",
132+
"tls.server.x509.issuer.organization": "DigiCert Inc",
133+
"tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
134+
"tls.server.x509.subject.country": "US",
135+
"tls.server.x509.subject.locality": "Mountain View",
136+
"tls.server.x509.subject.organization": "Elasticsearch Inc.",
137+
"tls.server.x509.subject.state_or_province": "California",
122138
"tls.version": "1.2",
123139
"tls.version_protocol": "tls",
124140
"zeek.session_id": "C3mki91FnnNtm0u1ok",

0 commit comments

Comments
 (0)