#
# Part of RedELK
# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file
#
# Author: Outflank B.V. / Marc Smeets
#

def filter(event)
	host = event.get("[agent][name]")
	logpath = event.get("[log][file][path]")
	temppath = logpath.split('/cobaltstrike/server')
	implantlogpath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath[1]}"
	event.tag("_rubyparseok")
  	event.set("[implant][log_file]", implantlogpath)
	return [event]
end