Commit 9490b3e
pipelines: migrate 91 transform_ocsf entries into push/pull/ structure
Moves 91 community pipeline directories from
pipelines/community/transform_ocsf/<name>/ into the ingest-mode-first
taxonomy introduced in #59:
pipelines/push/syslog/<vendor>/<product>/ 57 entries
pipelines/pull/api/<vendor>/<product>/ 29 entries
pipelines/pull/object_store/<vendor>/<product>/ 5 entries
The mode bucket is determined by each entry's ingest_mode field (backfilled
in #61). The vendor and product split is derived per entry from the
upstream parser binding and vendor/product convention; collisions across
the cluster (Cisco Meraki, Fortinet, Cloudflare, Zscaler, Microsoft, etc.)
are disambiguated with explicit product-name overrides documented in
.reorg-prep/inventory/transform_ocsf_migration_plan.tsv.
History is preserved on every entry (git mv).
What stays in pipelines/community/transform_ocsf/ (15 entries):
- Generic / template / unknown-vendor entries: agent_metrics_logs,
generic_access_logs, inngate_gateway_logs, json_generic_logs,
json_nested_kv_logs, leef_template_logs, log4shell_detection_logs,
mail_server_logs, microservice_tracing_logs, sample_test_logs,
spam_detection_logs, sql_database_logs, syslog_space_delimited_logs,
vpc_logs, jruby_application_logs.
What is NOT in this PR (intentional):
- 23 entries scheduled for removal in #62 (broken-legacy, 7) and #63
(first-party ingestion paths, 16) are NOT moved; they remain in
transform_ocsf/ until those PRs merge. This PR has no overlap or
conflict with #62/#63 -- merge order does not matter.
- No serializer logic, no metadata.yaml content, and no pipeline JSON
content was modified. Every change is a directory rename.
- No naming-consistency cleanup (e.g., paloalto_* -> palo_alto/*) is
applied yet; that is a separate follow-up.
The pipelines/push/{syslog,hec}/ and pipelines/pull/{api,object_store}/
directories are now populated -- the empty scaffolding from #59 finally
has content.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent af61b53 commit 9490b3e
354 files changed
File tree
- pipelines
- pull
- api
- axonius/assets
- cloudflare
- general
- logs
- waf_alt
- waf
- confluent/kafka
- crowdstrike
- detections
- logs
- github/audit
- google
- cloud_dns
- gcp_vpc_flow
- workspace
- hashicorp/hcp_vault
- imperva/incapsula
- microsoft
- azure
- m365_audit
- m365_mgmt_api
- mimecast/mimecast
- okta
- logs
- ocsf
- rubrik/backup
- sentinelone/singularity_identity
- tailscale/tailscale
- teleport/audit
- vectra/ai
- zscaler
- dns_firewall
- firewall
- logs
- zia
- object_store
- aws
- elb
- vpc_dns
- vpc_flow
- cisco/umbrella
- microsoft/azure_nsg_flow
- push/syslog
- akamai
- cdn
- dns
- general
- sitedefender
- apache/http
- barracuda/firewall
- beyondtrust/passwordsafe
- cisco
- asa
- combo
- firewall
- fmc
- ios
- ironport
- isa3000
- ise
- logs
- meraki_flow
- meraki_v2
- meraki_v3
- meraki
- networks
- citrix/netscaler
- crowdstrike/endpoint
- cyberark/conjur
- f5/networks
- forcepoint/forcepoint
- fortinet
- fortigate_candidate
- fortigate_v2
- fortigate
- fortimanager
- logs
- haproxy/loadbalancer
- imperva/waf
- infoblox/logs
- juniper/logs
- linux
- auth
- dhcp
- dns_general
- dns_ocsf
- ufw
- manageengine
- ad_audit_plus_alt
- adauditplus
- logs
- microsoft
- active_directory
- iis
- windows_event
- nginx
- access
- error
- palo_alto
- globalprotect
- panos_alt
- panos
- pfsense/firewall
- sonicwall/firewall
- squid/proxy
- vmware
- vcenter_v2
- vcenter
- watchguard/firewall
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
0 commit comments