Corelight JSON to TSV Preprocessor#

Corelight is the commercial version of the highly popular network monitoring tool Zeek. Gravwell provides a robust Zeek kit which is designed to provide fast and flexible access to the TSV formated Zeek data. Rather than replicate the entire Zeek kit for Corelight JSON data, which would require additional storage and perform worse than the standard TSV formatted data which comes from Zeek, we prefer to convert the JSON data to TSV. This preprocessor is designed to recieve entries from Corelight via their JSON-over-TCP export option and translate them into Zeek standard TSV data. As a result you can use the Gravwell Zeek kit and integrations with a commercial Corelight deployment.

The Corelight JSON to TSV preprocessor type is “corelight”.

Supported Options#

  • Prefix (string, optional): This parameter specifies the tag prefix attached to entries. The default is “zeek”.

  • Custom-Format (string, optional): This parameter specifies custom path and header values. A Custom-Format can be a wholly new format or override an existing format.

Multiple Custom-Format options can be specified in a single preprocessor block, for translating output from Corelight plugins or overriding an existing default handler. Formats are specified as: <tag suffix>:<TSV headers>.

For example, here is a format specification which looks for the S7Comm Zeek plugin:

s7comm:ts,uid,id,pdu_type,rosctr,parameter,item_count,data_info

This specification would output a TSV log on the zeeks7comm tag with 8 fields.

Example Data Translations#

Example input conn.log JSON data:

{
  "_path": "conn",
  "_system_name": "ds61",
  "_write_ts": "2020-08-16T06:26:04.077276Z",
  "_node": "worker-01",
  "ts": "2020-08-16T06:26:03.553287Z",
  "uid": "CMdzit1AMNsmfAIiQc",
  "id.orig_h": "192.168.4.76",
  "id.orig_p": 36844,
  "id.resp_h": "192.168.4.1",
  "id.resp_p": 53,
  "proto": "udp",
  "service": "dns",
  "duration": 0.06685185432434082,
  "orig_bytes": 62,
  "resp_bytes": 141,
  "conn_state": "SF",
  "missed_bytes": 0,
  "history": "Dd",
  "orig_pkts": 2,
  "orig_ip_bytes": 118,
  "resp_pkts": 2,
  "resp_ip_bytes": 197
}

Resulting TSV output:

1597559163.553287    CMdzit1AMNsmfAIiQc      192.168.4.76    36844   192.168.4.1     53      udp     dns     0.06685 62      141     SF      -       -       0       Dd      2       118     2       197     -       -

Example: Default Handlers#

Here is a basic Simple Relay example which listens for JSON over TCP on port 7890 and translates the JSON payloads to TSV data with no custom handlers:

[Listener "corelight"]
	Bind-String="0.0.0.0:7890"
	Preprocessor=corelight

[Preprocessor "corelight"]
	Type=corelight

Example: Custom Handlers and Prefix#

This example shows how to set a custom prefix and inject a custom handler. Using the Prefix override, we are setting all the routed tags to prepend core instead of zeek:

[Listener "corelight"]
	Bind-String="0.0.0.0:7890"
	Preprocessor=corelight

[Preprocessor "corelight"]
	Type=corelight
	Prefix="core"
	Custom-Format="s7comm:ts,uid,id,pdu_type,rosctr,parameter,item_count,data_info"

Example: Override Existing Handler#

This example shows that we can inject a custom handler as well as override an existing default handler:

[Listener "corelight"]
	Bind-String="0.0.0.0:7890"
	Preprocessor=corelight

[Preprocessor "corelight"]
	Type=corelight
	Custom-Format="s7comm:ts,uid,id,pdu_type,rosctr,parameter,item_count,data_info"
	Custom-Format="conn:ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration"

Default Handlers#

The following handlers are included by default:

  • conn

  • dns

  • dhcp

  • ssh

  • ftp

  • http

  • files

  • ssl

  • x509

  • smtp

  • pe

  • ntp

  • notice

  • weird

  • dpd

  • irc

  • rdp

  • sip

  • snmp

  • tunnel

  • socks

  • software

  • syslog

  • rfb

  • radius

  • intel

  • kerberos

  • mysql

  • modbus

  • signature

  • smb_mapping

  • smb_files

  • zeekdnp3