mirror of https://github.com/infosecn1nja/HELK.git
keep all geo fields despite taxonomy, for continuity if upstream(NON HELK) changes are made
neu5ron
parent
c6bad06478
commit
44a2c6b499
|
|
@ -30,18 +30,19 @@ filter {
|
|||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
add_field => { "[@metadata][dst_ip_addr_geo_location_successful]" => "true" }
|
||||
fields => [
|
||||
"city_name",
|
||||
"continent_code",
|
||||
"country_code2",
|
||||
"country_code3",
|
||||
"country_name",
|
||||
"dma_code",
|
||||
"latitude",
|
||||
"longitude",
|
||||
"postal_code",
|
||||
"region_name", "timezone"
|
||||
]
|
||||
#fields => [
|
||||
# "city_name",
|
||||
# "continent_code",
|
||||
# "country_code2",
|
||||
# "country_code3",
|
||||
# "country_name",
|
||||
# "dma_code",
|
||||
# "latitude",
|
||||
# "location",
|
||||
# "longitude",
|
||||
# "postal_code",
|
||||
# "region_name", "timezone"
|
||||
#]
|
||||
remove_field => [
|
||||
"[meta_dst_ip_geo][ip]",
|
||||
"[meta_dst_ip_geo][real_region_name]"
|
||||
|
|
|
|||
|
|
@ -30,18 +30,19 @@ filter {
|
|||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
add_field => { "[@metadata][src_ip_addr_geo_location_successful]" => "true" }
|
||||
fields => [
|
||||
"city_name",
|
||||
"continent_code",
|
||||
"country_code2",
|
||||
"country_code3",
|
||||
"country_name",
|
||||
"dma_code",
|
||||
"latitude",
|
||||
"longitude",
|
||||
"postal_code",
|
||||
"region_name", "timezone"
|
||||
]
|
||||
#fields => [
|
||||
# "city_name",
|
||||
# "continent_code",
|
||||
# "country_code2",
|
||||
# "country_code3",
|
||||
# "country_name",
|
||||
# "dma_code",
|
||||
# "latitude",
|
||||
# "location",
|
||||
# "longitude",
|
||||
# "postal_code",
|
||||
# "region_name", "timezone"
|
||||
#]
|
||||
remove_field => [
|
||||
"[meta_src_ip_geo][ip]",
|
||||
"[meta_src_ip_geo][real_region_name]"
|
||||
|
|
|
|||
|
|
@ -30,18 +30,19 @@ filter {
|
|||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
add_field => { "[@metadata][dst_nat_ip_addr_geo_location_successful]" => "true" }
|
||||
fields => [
|
||||
"city_name",
|
||||
"continent_code",
|
||||
"country_code2",
|
||||
"country_code3",
|
||||
"country_name",
|
||||
"dma_code",
|
||||
"latitude",
|
||||
"longitude",
|
||||
"postal_code",
|
||||
"region_name", "timezone"
|
||||
]
|
||||
#fields => [
|
||||
# "city_name",
|
||||
# "continent_code",
|
||||
# "country_code2",
|
||||
# "country_code3",
|
||||
# "country_name",
|
||||
# "dma_code",
|
||||
# "latitude",
|
||||
# "location",
|
||||
# "longitude",
|
||||
# "postal_code",
|
||||
# "region_name", "timezone"
|
||||
#]
|
||||
remove_field => [
|
||||
"[meta_dst_nat_ip_geo][ip]",
|
||||
"[meta_dst_nat_ip_geo][real_region_name]"
|
||||
|
|
|
|||
|
|
@ -30,18 +30,19 @@ filter {
|
|||
# #TONOTE:It is important to note that this config value is global to the geoip_type. That is to say all instances of the geoip filter of the same geoip_type share the same cache. The last declared cache size will win. The reason for this is that there would be no benefit to having multiple caches for different instances at different points in the pipeline, that would just increase the number of cache misses and waste memory.
|
||||
cache_size => 90000
|
||||
add_field => { "[@metadata][src_nat_ip_addr_geo_location_successful]" => "true" }
|
||||
fields => [
|
||||
"city_name",
|
||||
"continent_code",
|
||||
"country_code2",
|
||||
"country_code3",
|
||||
"country_name",
|
||||
"dma_code",
|
||||
"latitude",
|
||||
"longitude",
|
||||
"postal_code",
|
||||
"region_name", "timezone"
|
||||
]
|
||||
#fields => [
|
||||
# "city_name",
|
||||
# "continent_code",
|
||||
# "country_code2",
|
||||
# "country_code3",
|
||||
# "country_name",
|
||||
# "dma_code",
|
||||
# "latitude",
|
||||
# "location",
|
||||
# "longitude",
|
||||
# "postal_code",
|
||||
# "region_name", "timezone"
|
||||
#]
|
||||
remove_field => [
|
||||
"[meta_src_nat_ip_geo][ip]",
|
||||
"[meta_src_nat_ip_geo][real_region_name]"
|
||||
|
|
|
|||
Loading…
Reference in New Issue