From d19d3823f603636f9ba764790a08cd011818b3de Mon Sep 17 00:00:00 2001
From: Marco Ochse <t3chn0m4g3@users.noreply.github.com>
Date: Tue, 28 Aug 2018 12:41:11 +0200
Subject: [PATCH] prevent status field from being indexed as string

---
 docker/elk/logstash/dist/logstash.conf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docker/elk/logstash/dist/logstash.conf b/docker/elk/logstash/dist/logstash.conf
index ae4ba80e..4447808b 100644
--- a/docker/elk/logstash/dist/logstash.conf
+++ b/docker/elk/logstash/dist/logstash.conf
@@ -365,7 +365,7 @@ if "_grokparsefailure" in [tags] { drop {} }
     }
   }
 
-# In some rare conditions dest_port, src_port is indexed as string, forcing integer for now
+# In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
   if [dest_port] {
     mutate {
         convert => { "dest_port" => "integer" }
@@ -376,6 +376,11 @@ if "_grokparsefailure" in [tags] { drop {} }
         convert => { "src_port" => "integer" }
     }
   }
+  if [status] {
+    mutate {
+        convert => { "status" => "integer" }
+    }
+  }
 
 # Add T-Pot hostname and external IP
   if [type] == "Ciscoasa" or [type] == "ConPot" or [type] == "Cowrie" or [type] == "Dionaea" or [type] == "ElasticPot" or [type] == "eMobility" or [type] == "Glastopf" or [type] == "Honeytrap" or [type] == "Heralding" or [type] == "Mailoney" or [type] == "Rdpy" or [type] == "Suricata" or [type] == "Tanner" or [type] == "Vnclowpot" {