Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert eve.json upon ingest #1400

Merged
merged 5 commits into from
Oct 5, 2020
Merged

Convert eve.json upon ingest #1400

merged 5 commits into from
Oct 5, 2020

Conversation

henridf
Copy link
Contributor

@henridf henridf commented Sep 30, 2020
edited
Loading

This PR adds a json type config that is suited for "alert" events output by the Brim suricata package. The config is used when transforming the Suricata-produced "eve.json" file. In addition, the suricata timestamp field is renamed to ts.

This PR is based on #1389 so if you come here first, please try to make the detour.

Closes #1213

@henridf henridf changed the base branch from master to json-suricata-timestamps September 30, 2020 14:15
@henridf henridf marked this pull request as ready for review September 30, 2020 18:45
@henridf henridf requested a review from a team September 30, 2020 18:45
henridf
henridf commented Sep 30, 2020
View reviewed changes
suricata/types.json Outdated Show resolved Hide resolved
Base automatically changed from json-suricata-timestamps to master October 1, 2020 20:51
mattnibs
mattnibs reviewed Oct 2, 2020
View reviewed changes
pkg/jsontyper/generator.go Outdated Show resolved Hide resolved
@henridf henridf requested a review from mattnibs October 2, 2020 19:12
@henridf henridf merged commit af6d47e into master Oct 5, 2020
@henridf henridf deleted the eve-json-ingest branch October 5, 2020 13:46
brim-bot pushed a commit to brimdata/zui that referenced this pull request Oct 5, 2020
zq update through "Convert eve.json upon ingest" by henridf
6f7c3be 
This is an auto-generated commit with a zq dependency update. The zq PR
brimdata/super#1400, authored by @henridf,
has been merged.

Convert eve.json upon ingest

This PR adds a json type config that is suited for "alert" events output by the Brim suricata package. The config is used when transforming the Suricata-produced "eve.json" file. In addition, the suricata `timestamp` field is renamed to `ts`.

This PR is based on brimdata/super#1389 so if you come here first, please try to make the detour.

Closes brimdata/super#1213
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattnibs mattnibs mattnibs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Suricata eve.json format conversion
2 participants
@henridf @mattnibs