Add custom field to logs

[nicogeron]

I'm trying to add a custom field to all ingested logs using this method: https://docs.securityonion.net/en/2.4/elasticsearch.html (Parsing tab). However, it only adds the pipeline to Elasticsearch and does not apply it to the logs.

[cm-ops]

Are you trying to add a new processor to the ingest pipeline or just add a field to an existing data stream? If it is just adding a field, try the update mapping API https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-mapping.html

[nicogeron]

I would like this field to be added to ingestion, I have already tried to modify existing pipelines but some of them are reset when elasticsearch is restarted.
I'd also like to add this field conditionally.
Example: when I ingest PCAPs, I'd like a field like “log_type” = “PCAP” but I don't know what condition to set to make sure it's only applied to PCAPs and to all PCAPs.

[cm-ops]

Are you modifying the ingest pipeline in Kibana? If so, you would need to find the ingest pipeline file at /opt/so/saltstack/default/salt/elasticsearch/files/ingest/ and copy it to /opt/so/saltstack/local/salt/elasticsearch/files/ingest/ and make your addition.