1+ <?xml version =" 1.0" encoding =" utf-8"
2+ <databaseChangeLog
3+ xmlns =" http://www.liquibase.org/xml/ns/dbchangelog"
4+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
5+ xsi : schemaLocation =" http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd"
6+
7+ <changeSet id =" 20260213003" author =" Manuel"
8+
9+ <sql dbms =" postgresql" splitStatements =" true" stripComments =" true"
10+ <![CDATA[
11+
12+ UPDATE public.utm_logstash_filter
13+ SET filter_version='3.0.2',
14+ updated_at = now(),
15+ logstash_filter = $$# Bitdefender GravityZone filter, version 3.0.2
16+ # Based on https://www.bitdefender.com/business/support/en/77212-237089-event-types.html
17+ # and the previous version of the same filter
18+
19+ pipeline:
20+ - dataTypes:
21+ - antivirus-bitdefender-gz
22+ steps:
23+ # Using grok to parse header of the message
24+ - grok:
25+ patterns:
26+ - fieldName: log.syslogPriority
27+ pattern: '\<{{.data}}\>'
28+ - fieldName: log.syslogVersion
29+ pattern: '{{.integer}}'
30+ - fieldName: log.syslogDeviceTime
31+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
32+ - fieldName: log.syslogHostIP
33+ pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
34+ - fieldName: log.notDefined
35+ pattern: '{{.integer}}'
36+ - fieldName: log.0trash
37+ pattern: '{{.word}}\:{{.integer}}'
38+ - fieldName: log.restData
39+ pattern: '{{.greedy}}'
40+ source: raw
41+
42+ - grok:
43+ patterns:
44+ - fieldName: log.syslogPriority
45+ pattern: '\<{{.data}}\>'
46+ - fieldName: log.syslogVersion
47+ pattern: '{{.integer}}'
48+ - fieldName: log.syslogDeviceTime
49+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
50+ - fieldName: log.hostId
51+ pattern: '{{.word}}'
52+ - fieldName: log.0trash
53+ pattern: '{{.word}}'
54+ - fieldName: log.processPid
55+ pattern: '\[{{.integer}}\]'
56+ - fieldName: log.1trash
57+ pattern: '{{.word}}\:{{.integer}}'
58+ - fieldName: log.restData
59+ pattern: '{{.greedy}}'
60+ source: raw
61+
62+ - grok:
63+ patterns:
64+ - fieldName: log.syslogPriority
65+ pattern: '\<{{.data}}\>'
66+ - fieldName: log.syslogDeviceTime
67+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
68+ - fieldName: log.hostId
69+ pattern: '{{.word}}'
70+ - fieldName: log.0trash
71+ pattern: '{{.word}}'
72+ - fieldName: log.processPid
73+ pattern: '\[{{.integer}}\]'
74+ - fieldName: log.1trash
75+ pattern: '{{.word}}\:{{.integer}}'
76+ - fieldName: log.restData
77+ pattern: '{{.greedy}}'
78+ source: raw
79+
80+ - grok:
81+ patterns:
82+ - fieldName: log.syslogPriority
83+ pattern: '\<{{.data}}\>'
84+ - fieldName: log.syslogVersion
85+ pattern: '{{.integer}}'
86+ - fieldName: log.syslogDeviceTime
87+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
88+ - fieldName: log.syslogHostIP
89+ pattern: '{{.ipv4}}|{{.ipv6}}|{{.word}}'
90+ - fieldName: log.0trash
91+ pattern: '{{.word}}\:{{.integer}}'
92+ - fieldName: log.restData
93+ pattern: '{{.greedy}}'
94+ source: raw
95+
96+ - grok:
97+ patterns:
98+ - fieldName: log.syslogPriority
99+ pattern: '\<{{.data}}\>'
100+ - fieldName: log.syslogVersion
101+ pattern: '{{.integer}}'
102+ - fieldName: log.syslogDeviceTime
103+ pattern: '{{.year}}-{{.monthNumber}}-{{.monthDay}}\w{{.time}}\w'
104+ - fieldName: log.restData
105+ pattern: '{{.greedy}}'
106+ source: raw
107+
108+ - grok:
109+ patterns:
110+ - fieldName: log.syslogPriority
111+ pattern: '\<{{.data}}\>'
112+ - fieldName: log.0trash
113+ pattern: '{{.word}}\:{{.integer}}'
114+ - fieldName: log.restData
115+ pattern: '{{.greedy}}'
116+ source: raw
117+
118+ - grok:
119+ patterns:
120+ - fieldName: log.cefVersion
121+ pattern: 'CEF\:{{.integer}}'
122+ - fieldName: log.restData
123+ pattern: '{{.greedy}}'
124+ source: raw
125+
126+ # Using grok to parse components of the cef_message
127+ - grok:
128+ patterns:
129+ - fieldName: log.productVendor
130+ pattern: '\|{{.data}}\|'
131+ - fieldName: log.product
132+ pattern: '{{.data}}\|'
133+ - fieldName: log.productVersion
134+ pattern: '{{.data}}\|'
135+ - fieldName: log.signatureID
136+ pattern: '{{.data}}\|'
137+ - fieldName: log.eventType
138+ pattern: '{{.data}}\|'
139+ - fieldName: log.severity
140+ pattern: '{{.data}}\|'
141+ - fieldName: log.restData
142+ pattern: '{{.greedy}}'
143+ source: log.restData
144+
145+ # Using grok to parse kv issued fields with space
146+ - grok:
147+ patterns:
148+ - fieldName: log.2trash
149+ pattern: '{{.data}}dvc='
150+ - fieldName: log.dvcToParse
151+ pattern: '{{.data}}{{.word}}\='
152+ - fieldName: log.irrelevant
153+ pattern: '{{.greedy}}'
154+ source: log.restData
155+
156+ - grok:
157+ patterns:
158+ - fieldName: log.2trash
159+ pattern: '{{.data}}request='
160+ - fieldName: log.requestToParse
161+ pattern: '{{.data}}{{.word}}\='
162+ - fieldName: log.irrelevant
163+ pattern: '{{.greedy}}'
164+ source: log.restData
165+
166+ # Applying grok to remove unnecessary data
167+ - grok:
168+ patterns:
169+ - fieldName: log.deviceIps
170+ pattern: '{{.greedy}}{{.space}}'
171+ - fieldName: log.irrelevant
172+ pattern: '{{.greedy}}'
173+ source: log.dvcToParse
174+
175+ - grok:
176+ patterns:
177+ - fieldName: log.requested
178+ pattern: '{{.greedy}}{{.space}}'
179+ - fieldName: log.irrelevant
180+ pattern: '{{.greedy}}'
181+ source: log.requestToParse
182+
183+ # Using the kv filter with default config, usefull in key-value logs
184+ - kv:
185+ fieldSplit: " "
186+ valueSplit: "="
187+ source: log.restData
188+
189+ # Renaming useful fields
190+ - rename:
191+ from:
192+ - log.spt
193+ to: origin.port
194+
195+ - rename:
196+ from:
197+ - log.src
198+ to: origin.ip
199+
200+ - rename:
201+ from:
202+ - log.deviceIps
203+ to: origin.ip
204+
205+ - rename:
206+ from:
207+ - log.dvchost
208+ to: target.host
209+
210+ - rename:
211+ from:
212+ - log.sproc
213+ to: target.path
214+
215+ - rename:
216+ from:
217+ - log.filePath
218+ to: origin.path
219+
220+ - rename:
221+ from:
222+ - log.act
223+ to: action
224+
225+ # Removing unnecessary characters
226+ - trim:
227+ function: prefix
228+ substring: '|'
229+ fields:
230+ - log.productVendor
231+
232+ - trim:
233+ function: suffix
234+ substring: '|'
235+ fields:
236+ - log.productVendor
237+ - log.product
238+ - log.productVersion
239+ - log.signatureID
240+ - log.eventType
241+ - log.severity
242+
243+ - trim:
244+ function: prefix
245+ substring: '<'
246+ fields:
247+ - log.syslogPriority
248+
249+ - trim:
250+ function: suffix
251+ substring: '>'
252+ fields:
253+ - log.syslogPriority
254+
255+ - trim:
256+ function: prefix
257+ substring: '['
258+ fields:
259+ - log.processPid
260+
261+ - trim:
262+ function: suffix
263+ substring: ']'
264+ fields:
265+ - log.processPid
266+
267+ # Adding geolocation to origin ip
268+ - dynamic:
269+ plugin: com.utmstack.geolocation
270+ params:
271+ source: origin.ip
272+ destination: origin.geolocation
273+ where: exists("origin.ip")
274+
275+ # Reformat and field conversions
276+ - cast:
277+ fields:
278+ - origin.port
279+ to: int
280+
281+ # Removing unused fields
282+ - delete:
283+ fields:
284+ - log.0trash
285+ - log.1trash
286+ - log.2trash
287+ - log.restData
288+ - log.irrelevant
289+ - log.spt
290+ - log.src
291+ - log.sproc
292+ - log.filePath
293+ - log.dvc
294+ - log.request
295+ - log.dvcToParse
296+ - log.cefVersion$$
297+ WHERE id = 1514;
298+ ]]>
299+ </sql >
300+ </changeSet >
301+ </databaseChangeLog >
0 commit comments