#171

also catches other scenarios in future that would lead to fingerprint/hasing issue

docker/helk-logstash/pipeline/0099-all-fingerprint-hash-filter.conf

@@ -1,16 +1,53 @@
-# HELK All filter conf file
+# HELK All fingerprint log filter conf
 # HELK build Stage: Alpha
-# Author: Roberto Rodriguez (@Cyb3rWard0g)
+# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron)
 # License: GPL-3.0
 
 filter {
-  if [message] {
-    mutate { add_field => { "z_logstash_pipeline" => "0099" } }
+
+  # Perform hashing on winlogbeat differently than other logs
+  if [type] == "wineventlog" and [beat] {
     fingerprint {
       source => "message"
       target => "[@metadata][log_hash]"
       method => "MURMUR3"
       key => "Logstash"
+      add_field => { "z_logstash_pipeline" => "fingerprint-0099-001" }
     }
   }
+
+  else if [message] {
+    fingerprint {
+      source => "message"
+      target => "[@metadata][log_hash]"
+      method => "MURMUR3"
+      key => "Logstash"
+      add_field => { "z_logstash_pipeline" => "fingerprint-0099-002" }
+    }
+  }
+
+  else if [Message] {
+    fingerprint {
+      source => "Message"
+      target => "[@metadata][log_hash]"
+      method => "MURMUR3"
+      key => "Logstash"
+      add_field => { "z_logstash_pipeline" => "fingerprint-0099-003" }
+    }
+  }
+
+  # Scenario of no message field for, create custom one concatenating some values to guarantee unique fingerprint
+  #TONOTE: can use this value in z_logstash_pipeline to see if this event is hit
+  else if [beat] {
+    # Use this custom for this event
+    mutate { add_field => { "meta_log_tags" => "warning missing message field" } }
+    fingerprint {
+      concatenate_all_fields => true
+      target => "[@metadata][log_hash]"
+      method => "MURMUR3"
+      key => "Logstash"
+      add_field => { "z_logstash_pipeline" => "fingerprint-0099-004" }
+    }
+  }
+
 }