cisagov#553, handle postgresql.log

dashboards/templates/composable/component/zeek.json

@@ -326,6 +326,13 @@
         "zeek.pe.uses_code_integrity": { "type": "keyword" },
         "zeek.pe.uses_dep": { "type": "keyword" },
         "zeek.pe.uses_seh": { "type": "keyword" },
+        "zeek.postgresql.database": { "type": "keyword" },
+        "zeek.postgresql.application_name": { "type": "keyword" },
+        "zeek.postgresql.frontend": { "type": "keyword" },
+        "zeek.postgresql.frontend_arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
+        "zeek.postgresql.backend": { "type": "keyword" },
+        "zeek.postgresql.backend_arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
+        "zeek.postgresql.rows": { "type": "long" },
         "zeek.radius.connect_info": { "type": "keyword" },
         "zeek.radius.framed_addr": { "type": "ip" },
         "zeek.radius.mac": { "type": "keyword" },

logstash/maps/service_ports.yaml

@@ -121,6 +121,8 @@ openvpn:
 pop3:
   - 110
   - 995
+postgresql:
+  - 5432
 profinet:
   - 4800
   - 4900

logstash/maps/zeek_log_ecs_categories.yaml

@@ -67,6 +67,7 @@
 "ocsp": ["file", "network"]
 "openvpn": ["network"]
 "pe": ["file"]
+"postgresql": ["database", "network"]
 "profinet": ["ot", "network"]
 "profinet_dce_rpc": ["ot", "network"]
 "profinet_io_cm": ["ot", "network"]

logstash/pipelines/zeek/1070_zeek_postgresql.conf

@@ -0,0 +1,44 @@
+########################
+# Copyright (c) 2025 Battelle Energy Alliance, LLC.  All rights reserved.
+#######################
+
+filter {
+
+
+  if ([log_source] == "postgresql") {
+    #############################################################################################################################
+    # postgresql.log
+    # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/postgresql/main.zeek.html)
+
+    if ("_jsonparsesuccess" not in [tags]) {
+      dissect {
+        id => "dissect_zeek_postgresql"
+        mapping => {
+          "[message]" => "%{[zeek_cols][ts]}  %{[zeek_cols][uid]} %{[zeek_cols][orig_h]}  %{[zeek_cols][orig_p]}  %{[zeek_cols][resp_h]}  %{[zeek_cols][resp_p]}  %{[zeek_cols][user]}  %{[zeek_cols][database]}  %{[zeek_cols][application_name]}  %{[zeek_cols][frontend]}  %{[zeek_cols][frontend_arg]}  %{[zeek_cols][backend]} %{[zeek_cols][backend_arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]}"
+        }
+      }
+
+      if ("_dissectfailure" in [tags]) {
+        mutate {
+          id => "mutate_split_zeek_postgresql"
+          split => { "[message]" => " " }
+        }
+        ruby {
+          id => "ruby_zip_zeek_postgresql"
+          init => "@zeek_postgresql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'database', 'application_name', 'frontend', 'frontend_arg', 'backend', 'backend_arg', 'success', 'rows' ]"
+          code => "event.set('[zeek_cols]', @zeek_postgresql_field_names.zip(event.get('[message]')).to_h)"
+        }
+      }
+    }
+
+    mutate {
+      id => "mutate_add_fields_zeek_postgresql"
+      add_field => {
+        "[zeek_cols][proto]" => "tcp"
+        "[zeek_cols][service]" => "postgresql"
+      }
+    }
+
+  }
+
+} # end Filter

logstash/pipelines/zeek/1200_zeek_mutate.conf

@@ -1677,6 +1677,15 @@ filter {
                add_field => { "[zeek][software][software_type]" => "OPCUA" } }
     }
 
+  } else if ([log_source] == "postgresql") {
+    #############################################################################################################################
+    # postgresql.log specific logic
+
+    if ([zeek][postgresql][rows] == 0) {
+      mutate { id => "mutate_remove_field_zeek_postgresql_zero_rows"
+               remove_field => [ "[zeek][postgresql][rows]" ] }
+    }
+
   } else if ([log_source] == "profinet_io_cm") {
     #############################################################################################################################
     # profinet_io_cm.log specific logic

logstash/pipelines/zeek/1300_zeek_normalize.conf

@@ -591,6 +591,9 @@ filter {
     }
   } # opcua_binary
 
+  if ([zeek][postgresql][frontend])              { mutate { id => "mutate_merge_normalize_zeek_postgresql_frontend_action"
+                                                            merge => { "[event][action]" => "[zeek][postgresql][frontend]" } } }
+
   if ([zeek][profinet][operation_type])          { mutate { id => "mutate_merge_normalize_zeek_profinet_operation_type"
                                                            merge => { "[event][action]" => "[zeek][profinet][operation_type]" } } }
 
@@ -1133,6 +1136,24 @@ filter {
     }
   }
 
+  if ([zeek][posgresql]) {
+    # postgresql result comes from success and backend
+    if ([zeek][postgresql][backend]) {
+      mutate { id => "mutate_add_field_zeek_postgresql_result_backend"
+               add_field => { "[@metadata][zeek_postgresql_result]" => "%{[zeek][postgresql][backend]}" } }
+    } else if ([zeek][postgresql][success] == "T") {
+      mutate { id => "mutate_add_field_zeek_postgresql_result_success"
+               add_field => { "[@metadata][zeek_postgresql_result]" => "Success" } }
+    } else if ([zeek][postgresql][success] == "F") {
+      mutate { id => "mutate_add_field_zeek_postgresql_result_failure"
+               add_field => { "[@metadata][zeek_postgresql_result]" => "Failure" } }
+    }
+    if ([@metadata][zeek_postgresql_result]) {
+      mutate { id => "mutate_merge_zeek_postgresql_result"
+               merge => { "[event][result]" => "[@metadata][zeek_postgresql_result]" } }
+    }
+  }
+
   if ([zeek][radius][result]) {
     if ([zeek][radius][result] =~ /^(?i)succ/) {
       mutate { id => "mutate_add_field_zeek_radius_success"