refactor: Migrate filter configurations from .conf to .yml format.

Author: osmontero

filters/antivirus/checkpoint.conf

@@ -0,0 +1,49 @@
+pipeline:
+  - dataTypes:
+      - antivirus-checkpoint
+    steps:
+      # 1. Parse header to extract the payload inside brackets
+      - grok:
+          source: raw
+          patterns:
+            - fieldName: log.header
+              pattern: '{{.data}} - \['
+            - fieldName: log.payload
+              pattern: '{{.data}}'
+            - fieldName: log.footer
+              pattern: '; \]'
+
+      # 2. Parse the payload as Key-Value pairs
+      - kv:
+          source: log.payload
+          fieldSplit: " "
+          valueSplit: ":"
+          
+      # 3. Clean up quotes from values (since we don't have trim_value in kv)
+      # We would need a trim step for every field, but since we don't know all dynamic fields, 
+      # we assume the KV parser handles basic quotes or we accept them. 
+      # However, Logstash config suggests fields might be quoted like field:"value".
+      # The CEL-based KV step usually handles standard formats.
+      
+      # 4. Standard Reference Mapping
+      - rename:
+          from: [log.src]
+          to: origin.ip
+      - rename:
+          from: [log.dst]
+          to: target.ip
+      - rename:
+          from: [log.s_port]
+          to: origin.port
+      - rename:
+          from: [log.service]
+          to: target.port
+
+      # 5. Type Casting
+      - cast:
+          fields: [origin.port, target.port]
+          to: int
+
+      # 6. Clean up
+      - delete:
+          fields: [log.header, log.footer]

filters/antivirus/checkpoint.yml

@@ -0,0 +1,59 @@
+pipeline:
+  - dataTypes:
+      - hids
+    steps:
+      # 1. Parse JSON
+      - json:
+          source: raw
+
+      # 2. Rename Agent Fields
+      - rename:
+          from: [log.agent.id]
+          to: log.agent_id
+      - rename:
+          from: [log.agent.ip]
+          to: log.agent_ip
+      - rename:
+          from: [log.agent.name]
+          to: log.agent_name
+      - rename:
+          from: [log.manager.name]
+          to: log.manager
+      
+      # 3. Handle Special "000" Agent Case (from conf)
+      # In the new system, we might just keep the values as is, 
+      # or if we need to enforce dataSource changes, we relies on pipeline logic.
+      # The old conf set "dataSource" => "hids" if agent.id == "000".
+      # This is likely handled by defining the dataType as "hids" for this pipeline.
+
+      # 4. Rename Other Fields
+      - rename:
+          from: [log.decoder.name]
+          to: log.decoder_name
+      - rename:
+          from: [log.rule]
+          to: log.rule
+      - rename:
+          from: [log.location]
+          to: log.location
+      - rename:
+          from: [log.data]
+          to: log.data
+
+      # 5. Severity Mapping based on Rule Level
+      - add:
+          function: string
+          params: { key: severity, value: high }
+          where: 'exists("log.rule.level") && greaterThan("log.rule.level", 11)'
+      - add:
+          function: string
+          params: { key: severity, value: medium }
+          where: 'exists("log.rule.level") && lessOrEqual("log.rule.level", 11) && greaterOrEqual("log.rule.level", 7)'
+      - add:
+          function: string
+          params: { key: severity, value: low }
+          where: 'exists("log.rule.level") && lessThan("log.rule.level", 7)'
+      
+      # 6. Standard UTMStack Fields
+      # If these exist in log.data or elsewhere, they should be mapped.
+      # The conf didn't map to origin.ip/target.ip explicitly unless they were in "data".