Added osquery filter to parse json message.

2019-01-08 08:19:37 -08:00 · 2019-01-08 08:19:37 -08:00 · 12e4de9996
parent 240a8262ff
commit 12e4de9996
1 changed files with 12 additions and 0 deletions
--- a/docker/helk-logstash/pipeline/8116-osquery-filter.conf
+++ b/docker/helk-logstash/pipeline/8116-osquery-filter.conf
@ -0,0 +1,12 @@
+# HELK osquery filter conf file
+# HELK build Stage: Alpha
+# Author: Richie Cyrus (@rrcyrus)
+# License: GPL-3.0
+
+filter {
+  if [source] == "/var/log/osquery/osqueryd.results.log"{
+    json {
+        source => "message"
+    }
+  }
+}