tweak logstash.conf for citrixhoneypot

docker/elk/logstash/dist/logstash.conf

@@ -217,10 +217,10 @@ filter {
   if [type] == "CitrixHoneypot" {
     grok { 
       match => { 
-        "message" => [ "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{UNIXPATH:filename}", 
+        "message" => [ "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{UNIXPATH:fileinfo.filename:string}", 
-	               "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{JAVAMETHOD:method}%{SPACE}%{CISCO_REASON:fileinfo.state}: %{GREEDYDATA:payload}", 
+	               "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{JAVAMETHOD:http.http_method:string}%{SPACE}%{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string}", 
-		       "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg} %{CISCO_REASON:filename.state}: %{GREEDYDATA:payload}",
+		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{S3_REQUEST_LINE:msg:string} %{CISCO_REASON:fileinfo.state:string}: %{GREEDYDATA:payload:string:string}",
-		       "\A\(%{IPV4:src_ip}:%{INT:src_port:integer}\): %{GREEDYDATA:msg}" ] 
+		       "\A\(%{IPV4:src_ip:string}:%{INT:src_port:integer}\): %{GREEDYDATA:msg:string}" ] 
       } 
     }
     date {
@@ -231,11 +231,13 @@ filter {
     mutate {
       add_field => {
         "dest_port" => "443"
-
+      }
+      rename => {
+        "levelname" => "level"
       }
     }
   }
-
+  
 # Conpot
   if [type] == "ConPot" {
     date {