fluent-bit-filters-bro-ssl.conf

# Tabular log format parser
[FILTER]
    Name parser
    Match ${observer_product}.ssl
    Key_Name log
    Parser bro_ssl_parser
    Preserve_Key on
    Reserve_Data on

# JSON log format parser
[FILTER]
    Name parser
    Match ${observer_product}.ssl.json
    Key_Name log
    Parser bro_ssl_parser_json
    Preserve_Key off
    Reserve_Data on

# Rename 4-tuple fields from json
[FILTER]
    Name modify
    Match ${observer_product}.ssl.json
    Rename id.orig_h orig_h
    Rename id.orig_p orig_p
    Rename id.resp_h resp_h
    Rename id.resp_p resp_p

# Prefix all regular keys ([A-z]*) with 'zeek_ssl_'
# This will also catch any extended fields to move them under zeek.ssl
[FILTER]
    Name lua
    Match ${observer_product}.ssl*
    Script  bro_ssl_parse.lua
    Call    bro_ssl_prefix_all

[FILTER]
    Name modify
    Match ${observer_product}.ssl
    Add zeek_log_file ssl
    Add zeek_log_format tab

# These are special "_*" keys, rename them separately
[FILTER]
    Name modify
    Match ${observer_product}.ssl.json
    Rename _path zeek_log_file
    Rename _write_ts zeek_write_ts
    Add zeek_log_format json

# Pre-process SSL-specific fields
[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Add _event_dataset ${observer_product}.ssl
    Rename zeek_ssl_uid         zeek_uid
    Rename zeek_ssl_orig_h      source_ip
    Rename zeek_ssl_orig_p      source_port
    Rename zeek_ssl_resp_h      destination_ip
    Rename zeek_ssl_resp_p      destination_port
    Rename zeek_ssl_version           tls_version
    Rename zeek_ssl_cipher            tls_cipher
    Rename zeek_ssl_curve             tls_curve
    Rename zeek_ssl_next_protocol     tls_next_protocol
    Rename zeek_ssl_subject           tls_server_subject
    Rename zeek_ssl_issuer            tls_server_issuer
    Rename zeek_ssl_client_subject    tls_client_subject
    Rename zeek_ssl_client_issuer     tls_client_issuer
    Rename zeek_ssl_server_name       tls_client_server_name
    Rename zeek_ssl_log         _log_original

@INCLUDE fluent-bit-filters-bro-ssl-custom.conf

# Rename booleans in case of json log input (for tab format they would be parsed via lua)
[FILTER]
    Name modify
    Match ${observer_product}.ssl.json
    Rename zeek_ssl_resumed           tls_resumed
    Rename zeek_ssl_established       tls_established

# Cleanup - remove keys represending IP addresses if value is "-"
[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals source_ip -
    Remove_regex client_ip

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals destination_ip -
    Remove_regex server_ip

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals zeek_ssl_last_alert -
    Remove_regex zeek_ssl_last_alert

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals tls_client_issuer -
    Remove_regex tls_client_issuer

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals tls_client_subject -
    Remove_regex tls_client_subject

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals tls_client_server_name -
    Remove_regex tls_client_server_name

[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Condition Key_value_equals tls_next_protocol -
    Remove_regex tls_next_protocol

# ECS: Parse boolean values (resumed, established)
[FILTER]
    Name    lua
    Match   ${observer_product}.ssl
    Script  bro_ssl_parse.lua
    Call    bro_ssl_parse_booleans

# ECS: Parse fuids into arrays
[FILTER]
    Name    lua
    Match   ${observer_product}.ssl*
    Script  bro_ssl_parse.lua
    Call    bro_ssl_parse_fuids

# Remove no longer needed keys
[FILTER]
    Name modify
    Match ${observer_product}.ssl
    Remove zeek_ssl_resumed
    Remove zeek_ssl_established

# ECS: Nest JSON objects to comply with ECS notation: TLS.client
[FILTER]
    Name nest
    Match ${observer_product}.ssl*
    Operation nest
    Wildcard tls_client_*
    Nest_under client
    Remove_prefix tls_client_

# ECS: Nest JSON objects to comply with ECS notation: TLS.server
[FILTER]
    Name nest
    Match ${observer_product}.ssl*
    Operation nest
    Wildcard tls_server_*
    Nest_under server
    Remove_prefix tls_server_

# ECS: Nest JSON objects to comply with ECS notation: TLS
[FILTER]
    Name nest
    Match ${observer_product}.ssl*
    Operation nest
    Wildcard tls_*
    Wildcard client*
    Wildcard server*
    Nest_under tls
    Remove_prefix tls_

# Copies - moved below TLS nesting filters to keep these separate from tls_client_* and tls_server_*
[FILTER]
    Name modify
    Match ${observer_product}.ssl*
    Copy zeek_uid         _event_id
    Copy source_ip        client_ip
    Copy source_port      client_port
    Copy destination_ip   server_ip
    Copy destination_port server_port

# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek SSL - inner layer
[FILTER]
    Name nest
    Match ${observer_product}.ssl*
    Operation nest
    Wildcard zeek_ssl_*
    Nest_under ssl
    Remove_prefix zeek_ssl_

# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek SSL - outer layer
[FILTER]
    Name nest
    Match ${observer_product}.ssl*
    Operation nest
    Wildcard zeek_*
    Wildcard ssl*
    Nest_under zeek
    Remove_prefix zeek_