From 226e6c27a5ce071d53db8179e55c04eb474e240f Mon Sep 17 00:00:00 2001 From: beats-jenkins Date: Fri, 3 May 2019 16:29:12 +0200 Subject: [PATCH] [Filebeat] Add -expected files by default So far expected files in Filebeat tests were only generated and compared when a file exists. This changes to create a generated for all example logs. This will add a few more files to the repository but I think there the benefits outweight the costs as it means the modules are tested in more detail. Also minor changes will be detected easier. --- .../test/darwin-2.4.23.log-expected.json | 118 + .../test/ubuntu-2.2.22.log-expected.json | 233 ++ .../test/darwin-2.4.23.log-expected.json | 30 + .../test/ubuntu-2.2.22.log-expected.json | 98 + .../log/test/audit-rhel7.log-expected.json | 2433 ++++++++++++++++ .../gc/test/gc.log-expected.json | 1538 ++++++++++ .../test/elasticsearch.624.log-expected.json | 831 ++++++ .../test/controller-2.0.0.log-expected.json | 313 ++ .../log/test/server-2.0.0.log-expected.json | 1407 +++++++++ .../kibana/log/test/log.624.log-expected.json | 2434 ++++++++++++++++ .../test/log.verbose.624.log-expected.json | 2243 ++++++++++++++ ...mysql-darwin-brew-5.7.10.log-expected.json | 1297 +++++++++ .../mysql-ubuntu-5.5.53.log-expected.json | 1107 +++++++ .../mysql-ubuntu-8.0.15.log-expected.json | 158 + .../test/mariadb-10.3.13.log-expected.json | 39 + ...mysql-darwin-brew-5.7.10.log-expected.json | 24 + .../mysql-debian-5.7.17.log-expected.json | 71 + .../mysql-debian-5.7.19.log-expected.json | 24 + .../mysql-ubuntu-5.5.53.log-expected.json | 297 ++ .../percona-ubuntu-5.7.19.log-expected.json | 338 +++ .../access/test/access.log-expected.json | 382 +++ .../test/osquery.rootkit.log-expected.json | 1698 +++++++++++ .../osqueryd.results.darwin.log-expected.json | 2435 ++++++++++++++++ .../osqueryd.results.sample.log-expected.json | 2575 +++++++++++++++++ .../postgresql-ubuntu-9.5.log-expected.json | 1248 ++++++++ .../test/redis-darwin-3.0.2.log-expected.json | 232 ++ .../test/redis-debian-1.2.6.log-expected.json | 1102 +++++++ .../redis-windows-2.4.6.log-expected.json | 376 +++ .../test/auth-ubuntu1204.log-expected.json | 1327 +++++++++ .../auth/test/secure-rhel7.log-expected.json | 1792 ++++++++++++ .../system/auth/test/test.log-expected.json | 26 +- .../test/darwin-syslog.log-expected.json | 1302 +++++++++ filebeat/tests/system/test_modules.py | 3 +- 33 files changed, 29516 insertions(+), 15 deletions(-) create mode 100644 filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json create mode 100644 filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json create mode 100644 filebeat/module/apache/error/test/darwin-2.4.23.log-expected.json create mode 100644 filebeat/module/apache/error/test/ubuntu-2.2.22.log-expected.json create mode 100644 filebeat/module/auditd/log/test/audit-rhel7.log-expected.json create mode 100644 filebeat/module/elasticsearch/gc/test/gc.log-expected.json create mode 100644 filebeat/module/elasticsearch/server/test/elasticsearch.624.log-expected.json create mode 100644 filebeat/module/kafka/log/test/controller-2.0.0.log-expected.json create mode 100644 filebeat/module/kafka/log/test/server-2.0.0.log-expected.json create mode 100644 filebeat/module/kibana/log/test/log.624.log-expected.json create mode 100644 filebeat/module/kibana/log/test/log.verbose.624.log-expected.json create mode 100644 filebeat/module/mysql/error/test/mysql-darwin-brew-5.7.10.log-expected.json create mode 100644 filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json create mode 100644 filebeat/module/mysql/error/test/mysql-ubuntu-8.0.15.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/mariadb-10.3.13.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/mysql-darwin-brew-5.7.10.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/mysql-debian-5.7.17.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/mysql-debian-5.7.19.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/mysql-ubuntu-5.5.53.log-expected.json create mode 100644 filebeat/module/mysql/slowlog/test/percona-ubuntu-5.7.19.log-expected.json create mode 100644 filebeat/module/nginx/access/test/access.log-expected.json create mode 100644 filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json create mode 100644 filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json create mode 100644 filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json create mode 100644 filebeat/module/postgresql/log/test/postgresql-ubuntu-9.5.log-expected.json create mode 100644 filebeat/module/redis/log/test/redis-darwin-3.0.2.log-expected.json create mode 100644 filebeat/module/redis/log/test/redis-debian-1.2.6.log-expected.json create mode 100644 filebeat/module/redis/log/test/redis-windows-2.4.6.log-expected.json create mode 100644 filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json create mode 100644 filebeat/module/system/auth/test/secure-rhel7.log-expected.json create mode 100644 filebeat/module/system/syslog/test/darwin-syslog.log-expected.json diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json new file mode 100644 index 00000000000..48a909e0785 --- /dev/null +++ b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json @@ -0,0 +1,118 @@ +[ + { + "@timestamp": "2016-12-26T14:16:28.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.response.body.bytes": 45, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "service.type": "apache", + "source.address": "::1", + "source.ip": "::1", + "url.original": "/", + "user.name": "-" + }, + { + "@timestamp": "2016-12-26T14:16:29.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.response.body.bytes": 209, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 61, + "service.type": "apache", + "source.address": "::1", + "source.ip": "::1", + "url.original": "/favicon.ico", + "user.name": "-" + }, + { + "@timestamp": "2016-12-26T14:16:48.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.response.status_code": 408, + "input.type": "log", + "log.offset": 134, + "service.type": "apache", + "source.address": "::1", + "source.ip": "::1", + "user.name": "-" + }, + { + "@timestamp": "2016-12-26T16:23:35.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.response.body.bytes": 45, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 181, + "service.type": "apache", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/", + "user.name": "-" + }, + { + "@timestamp": "2016-12-26T16:23:41.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.response.body.bytes": 206, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 252, + "service.type": "apache", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/notfound", + "user.name": "-" + }, + { + "@timestamp": "2016-12-26T16:23:45.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.response.body.bytes": 201, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 332, + "service.type": "apache", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/hmm", + "user.name": "-" + } +] \ No newline at end of file diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json new file mode 100644 index 00000000000..d8ec80fd8a3 --- /dev/null +++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json @@ -0,0 +1,233 @@ +[ + { + "@timestamp": "2016-12-26T16:18:09.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 491, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "service.type": "apache", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Wget", + "user_agent.original": "Wget/1.13.4 (linux-gnu)", + "user_agent.version": "1.13.4" + }, + { + "@timestamp": "2016-12-26T16:22:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 484, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 98, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-26T16:22:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "http://192.168.33.72/", + "http.response.body.bytes": 504, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 296, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/favicon.ico", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 484, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 525, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + }, + { + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 504, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 685, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/favicon.ico", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + }, + { + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 504, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 856, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/favicon.ico", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + }, + { + "@timestamp": "2016-12-26T16:22:10.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 498, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1027, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/test", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + }, + { + "@timestamp": "2016-12-26T16:22:13.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 499, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1191, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/hello", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + }, + { + "@timestamp": "2016-12-26T16:22:17.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.access", + "event.module": "apache", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 499, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1356, + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1", + "url.original": "/crap", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "50.0" + } +] \ No newline at end of file diff --git a/filebeat/module/apache/error/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/error/test/darwin-2.4.23.log-expected.json new file mode 100644 index 00000000000..02b509dd192 --- /dev/null +++ b/filebeat/module/apache/error/test/darwin-2.4.23.log-expected.json @@ -0,0 +1,30 @@ +[ + { + "@timestamp": "2016-12-26T16:15:55.103Z", + "apache.error.module": "mpm_prefork", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "notice", + "log.offset": 0, + "message": "AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations", + "process.pid": 11379, + "service.type": "apache" + }, + { + "@timestamp": "2016-12-26T16:15:55.103Z", + "apache.error.module": "core", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "notice", + "log.offset": 138, + "message": "AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'", + "process.pid": 11379, + "service.type": "apache" + } +] \ No newline at end of file diff --git a/filebeat/module/apache/error/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/error/test/ubuntu-2.2.22.log-expected.json new file mode 100644 index 00000000000..4610af38dd7 --- /dev/null +++ b/filebeat/module/apache/error/test/ubuntu-2.2.22.log-expected.json @@ -0,0 +1,98 @@ +[ + { + "@timestamp": "2016-12-26T16:17:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "notice", + "log.offset": 0, + "message": "Apache/2.2.22 (Ubuntu) configured -- resuming normal operations", + "service.type": "apache" + }, + { + "@timestamp": "2016-12-26T16:22:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 100, + "message": "File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + }, + { + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 231, + "message": "File does not exist: /var/www/favicon.ico", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + }, + { + "@timestamp": "2016-12-26T16:22:08.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 330, + "message": "File does not exist: /var/www/favicon.ico", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + }, + { + "@timestamp": "2016-12-26T16:22:10.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 429, + "message": "File does not exist: /var/www/test", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + }, + { + "@timestamp": "2016-12-26T16:22:13.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 521, + "message": "File does not exist: /var/www/hello", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + }, + { + "@timestamp": "2016-12-26T16:22:17.000Z", + "ecs.version": "1.0.0", + "event.dataset": "apache.error", + "event.module": "apache", + "fileset.name": "error", + "input.type": "log", + "log.level": "error", + "log.offset": 614, + "message": "File does not exist: /var/www/crap", + "service.type": "apache", + "source.address": "192.168.33.1", + "source.ip": "192.168.33.1" + } +] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json new file mode 100644 index 00000000000..c2d854fd084 --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -0,0 +1,2433 @@ +[ + { + "@timestamp": "2016-12-07T02:16:23.819Z", + "auditd.log.format": "raw", + "auditd.log.kernel": "3.10.0-327.36.3.el7.x86_64", + "auditd.log.sequence": 7798, + "auditd.log.subj": "system_u:system_r:auditd_t:s0", + "auditd.log.ver": "2.4.1", + "ecs.version": "1.0.0", + "event.action": "daemon_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.pid": 251, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2016-12-07T02:16:23.864Z", + "auditd.log.sequence": 6, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 190, + "message": "unit=auditd", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:23.876Z", + "auditd.log.sequence": 7, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "system_boot", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 419, + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 273, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:23.879Z", + "auditd.log.sequence": 8, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 661, + "message": "unit=systemd-update-utmp", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.075Z", + "auditd.log.sequence": 9, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 903, + "message": "unit=systemd-hwdb-update", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.088Z", + "auditd.log.sequence": 10, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1145, + "message": "unit=systemd-update-done", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.163Z", + "auditd.log.sequence": 11, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1388, + "message": "unit=systemd-udev-trigger", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.212Z", + "auditd.log.sequence": 12, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1632, + "message": "unit=irqbalance", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.sequence": 13, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1866, + "message": "unit=avahi-daemon", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.521Z", + "auditd.log.sequence": 14, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2102, + "message": "unit=dbus", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.526Z", + "auditd.log.sequence": 15, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2330, + "message": "unit=rsyslog", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.534Z", + "auditd.log.sequence": 16, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_stop", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2561, + "message": "unit=irqbalance", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.827Z", + "auditd.log.entries": "0", + "auditd.log.family": "2", + "auditd.log.sequence": 17, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2794, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.827Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 17, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 2875, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 391, + "process.ppid": 390, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.858Z", + "auditd.log.entries": "0", + "auditd.log.family": "2", + "auditd.log.sequence": 18, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3193, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.858Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 18, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 3271, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 396, + "process.ppid": 395, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.870Z", + "auditd.log.entries": "0", + "auditd.log.family": "2", + "auditd.log.sequence": 19, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3589, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.870Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 19, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 3672, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 399, + "process.ppid": 398, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.877Z", + "auditd.log.entries": "0", + "auditd.log.family": "2", + "auditd.log.sequence": 20, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3990, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.877Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 20, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 4071, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 402, + "process.ppid": 401, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.931Z", + "auditd.log.entries": "0", + "auditd.log.family": "2", + "auditd.log.sequence": 21, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4389, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.931Z", + "auditd.log.a0": "3", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "3", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 21, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 4467, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 407, + "process.ppid": 406, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.939Z", + "auditd.log.sequence": 22, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 4785, + "message": "unit=yum-cron", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.945Z", + "auditd.log.sequence": 23, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5017, + "message": "unit=rhel-dmesg", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.953Z", + "auditd.log.sequence": 24, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5251, + "message": "unit=acpid", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.954Z", + "auditd.log.sequence": 25, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5480, + "message": "unit=systemd-user-sessions", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.960Z", + "auditd.log.sequence": 26, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5725, + "message": "unit=ntpd", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:24.982Z", + "auditd.log.entries": "0", + "auditd.log.family": "10", + "auditd.log.sequence": 27, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 5953, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:24.982Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 27, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 6035, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 423, + "process.ppid": 422, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.012Z", + "auditd.log.sequence": 28, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6353, + "message": "unit=systemd-logind", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.031Z", + "auditd.log.sequence": 29, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6591, + "message": "unit=crond", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.043Z", + "auditd.log.sequence": 30, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 6820, + "message": "unit=expand-root", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.044Z", + "auditd.log.sequence": 31, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_stop", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7055, + "message": "unit=expand-root", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.069Z", + "auditd.log.entries": "0", + "auditd.log.family": "10", + "auditd.log.sequence": 32, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7289, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.069Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 32, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 7368, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 440, + "process.ppid": 439, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.104Z", + "auditd.log.sequence": 33, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7686, + "message": "unit=sshd-keygen", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.099Z", + "auditd.log.entries": "0", + "auditd.log.family": "10", + "auditd.log.sequence": 34, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 7921, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.099Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 34, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 8005, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 446, + "process.ppid": 445, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.128Z", + "auditd.log.entries": "0", + "auditd.log.family": "10", + "auditd.log.sequence": 35, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8323, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.128Z", + "auditd.log.a0": "0", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 35, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 8405, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 450, + "process.ppid": 449, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.164Z", + "auditd.log.sequence": 36, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8723, + "message": "unit=plymouth-quit", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.166Z", + "auditd.log.sequence": 37, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_stop", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 8960, + "message": "unit=plymouth-quit", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.167Z", + "auditd.log.sequence": 38, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9196, + "message": "unit=plymouth-start", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.168Z", + "auditd.log.sequence": 39, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_stop", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9434, + "message": "unit=plymouth-start", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.sequence": 40, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9671, + "message": "unit=plymouth-quit-wait", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.170Z", + "auditd.log.sequence": 41, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_stop", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 9913, + "message": "unit=plymouth-quit-wait", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.180Z", + "auditd.log.sequence": 42, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10154, + "message": "unit=serial-getty@ttyS0", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.187Z", + "auditd.log.sequence": 43, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10396, + "message": "unit=getty@tty1", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.191Z", + "auditd.log.entries": "0", + "auditd.log.family": "10", + "auditd.log.sequence": 44, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 10630, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.191Z", + "auditd.log.a0": "1", + "auditd.log.a1": "41a15c", + "auditd.log.a2": "0", + "auditd.log.a3": "1", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 44, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:insmod_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "313", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 10709, + "process.executable": "/usr/bin/kmod", + "process.name": "modprobe", + "process.pid": 453, + "process.ppid": 452, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.511Z", + "auditd.log.sequence": 45, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "ecs.version": "1.0.0", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11027, + "message": "unit=firewalld", + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.528Z", + "auditd.log.entries": "5", + "auditd.log.family": "2", + "auditd.log.sequence": 46, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11260, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.528Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "25be720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 46, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 11338, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 476, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.532Z", + "auditd.log.entries": "5", + "auditd.log.family": "2", + "auditd.log.sequence": 47, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 11669, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.532Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "1819720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 47, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 11747, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 478, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.534Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 48, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12078, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.534Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "13d0850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 48, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 12159, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 479, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.537Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 49, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12490, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.537Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "1125850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 49, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 12571, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 481, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.538Z", + "auditd.log.entries": "4", + "auditd.log.family": "2", + "auditd.log.sequence": 50, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 12902, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.538Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "20a3600", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 50, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 12985, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 482, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.542Z", + "auditd.log.entries": "4", + "auditd.log.family": "2", + "auditd.log.sequence": 51, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13316, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.542Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "9f0600", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 51, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 13399, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 484, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.543Z", + "auditd.log.entries": "3", + "auditd.log.family": "2", + "auditd.log.sequence": 52, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 13729, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.543Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "232e4d0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 52, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 13807, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 485, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.546Z", + "auditd.log.entries": "3", + "auditd.log.family": "2", + "auditd.log.sequence": 53, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14138, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.546Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "14404d0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 53, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 14216, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 487, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.548Z", + "auditd.log.entries": "4", + "auditd.log.family": "2", + "auditd.log.sequence": 54, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14547, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.548Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "c31600", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 54, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 14628, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 488, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.552Z", + "auditd.log.entries": "4", + "auditd.log.family": "2", + "auditd.log.sequence": 55, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 14958, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.552Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "143a600", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 55, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 15039, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 490, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.553Z", + "auditd.log.entries": "5", + "auditd.log.family": "10", + "auditd.log.sequence": 56, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15370, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.553Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "109b880", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 56, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 15449, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 491, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.556Z", + "auditd.log.entries": "5", + "auditd.log.family": "10", + "auditd.log.sequence": 57, + "auditd.log.table": "nat", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 15782, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.556Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "b53880", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 57, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 15861, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 493, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.557Z", + "auditd.log.entries": "6", + "auditd.log.family": "10", + "auditd.log.sequence": 58, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 16193, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.557Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "17b09e0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 58, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 16275, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 494, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.560Z", + "auditd.log.entries": "6", + "auditd.log.family": "10", + "auditd.log.sequence": 59, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 16608, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.560Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "25cc9e0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 59, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 16690, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 496, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.562Z", + "auditd.log.entries": "4", + "auditd.log.family": "10", + "auditd.log.sequence": 60, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 17023, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.562Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "14db720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 60, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 17107, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 497, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.566Z", + "auditd.log.entries": "4", + "auditd.log.family": "10", + "auditd.log.sequence": 61, + "auditd.log.table": "security", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 17440, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.566Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "9d2720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 61, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 17524, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 499, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.569Z", + "auditd.log.entries": "3", + "auditd.log.family": "10", + "auditd.log.sequence": 62, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 17856, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.569Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "fae5c0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 62, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 17935, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 500, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.573Z", + "auditd.log.entries": "3", + "auditd.log.family": "10", + "auditd.log.sequence": 63, + "auditd.log.table": "raw", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 18267, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.573Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "19545c0", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 63, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 18346, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 502, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.575Z", + "auditd.log.entries": "4", + "auditd.log.family": "10", + "auditd.log.sequence": 64, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 18679, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.575Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "23a3720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 64, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 18761, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 503, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.578Z", + "auditd.log.entries": "4", + "auditd.log.family": "10", + "auditd.log.sequence": 65, + "auditd.log.table": "filter", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 19094, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.578Z", + "auditd.log.a0": "4", + "auditd.log.a1": "29", + "auditd.log.a2": "40", + "auditd.log.a3": "162d720", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 65, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 19176, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "ip6tables", + "process.pid": 505, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.580Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 66, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 19509, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.580Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "14b0850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 66, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 19590, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 506, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.582Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 67, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 19921, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.582Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "2398850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 67, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 20002, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 507, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.583Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 68, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 20333, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.583Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "2679850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 68, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 20414, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 508, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.585Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 69, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 20745, + "service.type": "auditd" + }, + { + "@timestamp": "2016-12-07T02:16:25.585Z", + "auditd.log.a0": "4", + "auditd.log.a1": "0", + "auditd.log.a2": "40", + "auditd.log.a3": "1715850", + "auditd.log.exit": "0", + "auditd.log.items": "0", + "auditd.log.sequence": 69, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:iptables_t:s0", + "auditd.log.success": "yes", + "auditd.log.syscall": "54", + "auditd.log.tty": "(none)", + "ecs.version": "1.0.0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 20826, + "process.executable": "/usr/sbin/xtables-multi", + "process.name": "iptables", + "process.pid": 509, + "process.ppid": 296, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.effective.group.id": "0", + "user.effective.id": "0", + "user.filesystem.group.id": "0", + "user.filesystem.id": "0", + "user.group.id": "0", + "user.id": "0", + "user.saved.group.id": "0", + "user.saved.id": "0" + }, + { + "@timestamp": "2016-12-07T02:16:25.587Z", + "auditd.log.entries": "6", + "auditd.log.family": "2", + "auditd.log.sequence": 70, + "auditd.log.table": "mangle", + "ecs.version": "1.0.0", + "event.action": "netfilter_cfg", + "event.dataset": "auditd.log", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 21157, + "service.type": "auditd" + } +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/gc/test/gc.log-expected.json b/filebeat/module/elasticsearch/gc/test/gc.log-expected.json new file mode 100644 index 00000000000..af0c8fbe66d --- /dev/null +++ b/filebeat/module/elasticsearch/gc/test/gc.log-expected.json @@ -0,0 +1,1538 @@ +[ + { + "@timestamp": "2018-06-13T07:44:22.647Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 0, + "message": "Using Concurrent Mark Sweep", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.647Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "heap", + "coops" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 70, + "message": "Heap address: 0x00000000c0000000, size: 1024 MB, Compressed Oops mode: 32-bit", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.725Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 201, + "message": "Application time: 0,0011068 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.725Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 290, + "message": "Total time for which application threads were stopped: 0,0000563 seconds, Stopping threads took: 0,0000092 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.813Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 458, + "message": "Application time: 0,0884133 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.813Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 547, + "message": "Total time for which application threads were stopped: 0,0000755 seconds, Stopping threads took: 0,0000103 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.836Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 715, + "message": "Application time: 0,0226148 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:22.836Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 804, + "message": "Total time for which application threads were stopped: 0,0000736 seconds, Stopping threads took: 0,0000115 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.016Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 972, + "message": "Application time: 0,1804640 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.017Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1061, + "message": "Total time for which application threads were stopped: 0,0001712 seconds, Stopping threads took: 0,0000212 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.059Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1229, + "message": "Application time: 0,0427365 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.060Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1318, + "message": "Total time for which application threads were stopped: 0,0000910 seconds, Stopping threads took: 0,0000104 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.072Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1486, + "message": "Application time: 0,0120864 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.072Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1575, + "message": "Total time for which application threads were stopped: 0,0002664 seconds, Stopping threads took: 0,0000334 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.105Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1743, + "message": "Application time: 0,0328884 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.105Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 1832, + "message": "Total time for which application threads were stopped: 0,0001472 seconds, Stopping threads took: 0,0000279 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.245Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2000, + "message": "Application time: 0,1401198 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.245Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2089, + "message": "Total time for which application threads were stopped: 0,0001774 seconds, Stopping threads took: 0,0000166 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.526Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2257, + "message": "Application time: 0,2803587 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.526Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2346, + "message": "Total time for which application threads were stopped: 0,0002301 seconds, Stopping threads took: 0,0000177 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.550Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2514, + "message": "Application time: 0,0243595 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.551Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2603, + "message": "Total time for which application threads were stopped: 0,0001740 seconds, Stopping threads took: 0,0000114 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.768Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2771, + "message": "Application time: 0,2175677 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.768Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 2860, + "message": "Total time for which application threads were stopped: 0,0002329 seconds, Stopping threads took: 0,0000205 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.804Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3028, + "message": "Application time: 0,0356169 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.804Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3117, + "message": "Total time for which application threads were stopped: 0,0002034 seconds, Stopping threads took: 0,0000405 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.820Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3285, + "message": "Application time: 0,0157189 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.820Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3374, + "message": "Total time for which application threads were stopped: 0,0002240 seconds, Stopping threads took: 0,0000540 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.838Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3542, + "message": "Application time: 0,0177385 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.838Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3631, + "message": "Total time for which application threads were stopped: 0,0002886 seconds, Stopping threads took: 0,0000213 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.868Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3799, + "message": "Application time: 0,0295439 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:23.868Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 3888, + "message": "Total time for which application threads were stopped: 0,0001937 seconds, Stopping threads took: 0,0000221 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.091Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4056, + "message": "Application time: 0,2231589 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.092Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4145, + "message": "Total time for which application threads were stopped: 0,0002032 seconds, Stopping threads took: 0,0000222 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.112Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4313, + "message": "Application time: 0,0201046 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.112Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4402, + "message": "Total time for which application threads were stopped: 0,0001069 seconds, Stopping threads took: 0,0000242 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.126Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4570, + "message": "Application time: 0,0144240 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.126Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4659, + "message": "Total time for which application threads were stopped: 0,0001276 seconds, Stopping threads took: 0,0000219 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.210Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4827, + "message": "Application time: 0,0833044 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.210Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 4916, + "message": "Total time for which application threads were stopped: 0,0001685 seconds, Stopping threads took: 0,0000201 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.330Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5084, + "message": "Application time: 0,1200701 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.330Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "start" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5173, + "message": "GC(0) Pause Young (Allocation Failure)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.330Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "task" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5265, + "message": "GC(0) Using 8 workers of 8 for evacuation", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5360, + "message": "GC(0) Desired survivor size 17891328 bytes, new threshold 6 (max threshold 6)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5491, + "message": "GC(0) Age table with threshold 6 (max threshold 6)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5595, + "message": "GC(0) - age 1: 17876816 bytes, 17876816 total", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "heap" + ], + "elasticsearch.gc.young_gen.size_kb": "314560", + "elasticsearch.gc.young_gen.used_kb": "17562", + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5700, + "message": "[2018-06-13T07:44:24.343+0000][32376][gc,heap ] GC(0) ParNew: 279616K->17562K(314560K)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "heap" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5792, + "message": "GC(0) CMS: 0K->0K(699072K)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "metaspace" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5872, + "message": "GC(0) Metaspace: 22819K->22819K(1071104K)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 5967, + "message": "GC(0) Pause Young (Allocation FailurGe) 273M->17M(989M) 13,344ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6085, + "message": "GC(0) User=0,07s Sys=0,00s Real=0,01s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.343Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6176, + "message": "Total time for which application threads were stopped: 0,0135152 seconds, Stopping threads took: 0,0000320 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.344Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6344, + "message": "Application time: 0,0000687 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.344Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "start" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6433, + "message": "GC(1) Pause Initial Mark", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.346Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6511, + "message": "GC(1) Pause Initial Mark 22M->22M(989M) 2,829ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.347Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6612, + "message": "GC(1) User=0,01s Sys=0,00s Real=0,00s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.347Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6703, + "message": "Total time for which application threads were stopped: 0,0029891 seconds, Stopping threads took: 0,0000406 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.347Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6871, + "message": "GC(1) Concurrent Mark", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.347Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "task" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 6946, + "message": "GC(1) Using 2 workers of 2 for marking", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.348Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7038, + "message": "GC(1) Concurrent Mark 0,937ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.348Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7121, + "message": "GC(1) User=0,00s Sys=0,00s Real=0,00s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.348Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7212, + "message": "GC(1) Concurrent Preclean", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.350Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7291, + "message": "GC(1) Concurrent Preclean 2,067ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.350Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7378, + "message": "GC(1) User=0,00s Sys=0,00s Real=0,00s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.350Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7469, + "message": "GC(1) Concurrent Abortable Preclean", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7558, + "message": "Application time: 0,2479945 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7647, + "message": "Total time for which application threads were stopped: 0,0001480 seconds, Stopping threads took: 0,0000175 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7815, + "message": "GC(1) Concurrent Abortable Preclean 245,156ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 7914, + "message": "GC(1) User=1,18s Sys=0,02s Real=0,25s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8005, + "message": "Application time: 0,0001310 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.595Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "start" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8094, + "message": "GC(1) Pause Remark", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8166, + "message": "GC(1) Pause Remark 169M->169M(989M) 23,325ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8264, + "message": "GC(1) User=0,14s Sys=0,00s Real=0,02s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8355, + "message": "Total time for which application threads were stopped: 0,0234535 seconds, Stopping threads took: 0,0000128 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8523, + "message": "GC(1) Concurrent Sweep", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8599, + "message": "GC(1) Concurrent Sweep 0,034ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8683, + "message": "GC(1) User=0,00s Sys=0,00s Real=0,00s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.618Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8774, + "message": "GC(1) Concurrent Reset", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.619Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8850, + "message": "GC(1) Concurrent Reset 0,636ms", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.619Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "cpu" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 8934, + "message": "GC(1) User=0,00s Sys=0,00s Real=0,00s", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.619Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.old_gen.size_kb": "699072", + "elasticsearch.gc.old_gen.used_kb": "0", + "elasticsearch.gc.tags": [ + "gc", + "heap" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9025, + "message": "[2018-06-13T07:44:24.619+0000][32376][gc,heap ] GC(1) Old: 0K->0K(699072K)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.763Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9105, + "message": "Application time: 0,1444854 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.763Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9194, + "message": "Total time for which application threads were stopped: 0,0003334 seconds, Stopping threads took: 0,0000230 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.777Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9362, + "message": "Application time: 0,0132824 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.777Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9451, + "message": "Total time for which application threads were stopped: 0,0003048 seconds, Stopping threads took: 0,0000297 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.784Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9619, + "message": "Application time: 0,0066508 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.784Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9708, + "message": "Total time for which application threads were stopped: 0,0004138 seconds, Stopping threads took: 0,0000365 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.808Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9876, + "message": "Application time: 0,0239448 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:24.808Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 9965, + "message": "Total time for which application threads were stopped: 0,0003185 seconds, Stopping threads took: 0,0000191 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.072Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10133, + "message": "Application time: 0,2640511 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.074Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10222, + "message": "Total time for which application threads were stopped: 0,0012229 seconds, Stopping threads took: 0,0000654 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.139Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "safepoint" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10390, + "message": "Application time: 0,0649277 seconds", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.139Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "start" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10479, + "message": "GC(2) Pause Young (Allocation Failure)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.139Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "task" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10571, + "message": "GC(2) Using 8 workers of 8 for evacuation", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10666, + "message": "GC(2) Desired survivor size 17891328 bytes, new threshold 2 (max threshold 6)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10797, + "message": "GC(2) Age table with threshold 2 (max threshold 6)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 10901, + "message": "GC(2) - age 1: 17302064 bytes, 17302064 total", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "age" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 11006, + "message": "GC(2) - age 2: 7206808 bytes, 24508872 total", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "heap" + ], + "elasticsearch.gc.young_gen.size_kb": "314560", + "elasticsearch.gc.young_gen.used_kb": "25722", + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 11111, + "message": "[2018-06-13T07:44:25.167+0000][32376][gc,heap ] GC(2) ParNew: 297178K->25722K(314560K)", + "process.pid": "32376", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-06-13T07:44:25.167Z", + "ecs.version": "1.0.0", + "elasticsearch.gc.tags": [ + "gc", + "heap" + ], + "event.dataset": "elasticsearch.gc", + "event.module": "elasticsearch", + "fileset.name": "gc", + "input.type": "log", + "log.offset": 11203, + "message": "GC(2) CMS: 0K->0K(699072K)", + "process.pid": "32376", + "service.type": "elasticsearch" + } +] \ No newline at end of file diff --git a/filebeat/module/elasticsearch/server/test/elasticsearch.624.log-expected.json b/filebeat/module/elasticsearch/server/test/elasticsearch.624.log-expected.json new file mode 100644 index 00000000000..822c7c6a28e --- /dev/null +++ b/filebeat/module/elasticsearch/server/test/elasticsearch.624.log-expected.json @@ -0,0 +1,831 @@ +[ + { + "@timestamp": "2018-05-17T08:19:35.939Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 0, + "message": "initializing ...", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:36.089Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.e.NodeEnvironment", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 80, + "message": "using [1] data paths, mounts [[/ (/dev/disk1s1)]], net usable_space [32.4gb], net total_space [233.5gb], types [apfs]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:36.090Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.e.NodeEnvironment", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 268, + "message": "heap size [990.7mb], compressed ordinary object pointers [true]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:36.116Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 402, + "message": "node name [vWNJsZ3] derived from node ID [vWNJsZ3nTIKh5a1ai-ftYQ]; set [node.name] to override", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:36.117Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 557, + "message": "version[6.2.4], pid[32981], build[ccec39f/2018-04-12T20:37:28.497551Z], OS[Mac OS X/10.13.4/x86_64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_144/25.144-b01]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:36.117Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 797, + "message": "JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/var/folders/k3/xlwbcsmj6dd7vjv2tg1d7c_40000gn/T/elasticsearch.CaIZtfV0, -XX:+HeapDumpOnOutOfMemoryError, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -Xloggc:logs/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=32, -XX:GCLogFileSize=64m, -Des.path.home=/Users/ruflin/Downloads/elasticsearch-6.2.4, -Des.path.conf=/Users/ruflin/Downloads/elasticsearch-6.2.4/config]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.563Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1747, + "message": "loaded module [aggs-matrix-stats]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.564Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1851, + "message": "loaded module [analysis-common]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.564Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 1953, + "message": "loaded module [ingest-common]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.564Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2053, + "message": "loaded module [lang-expression]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.564Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2155, + "message": "loaded module [lang-mustache]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.564Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2255, + "message": "loaded module [lang-painless]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.565Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2355, + "message": "loaded module [mapper-extras]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.565Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2455, + "message": "loaded module [parent-join]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.565Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2553, + "message": "loaded module [percolator]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.565Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2650, + "message": "loaded module [rank-eval]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.566Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2746, + "message": "loaded module [reindex]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.566Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2840, + "message": "loaded module [repository-url]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.566Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 2941, + "message": "loaded module [transport-netty4]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.566Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3044, + "message": "loaded module [tribe]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:37.567Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.p.PluginsService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3136, + "message": "no plugins loaded", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:43.741Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.d.DiscoveryModule", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3224, + "message": "using discovery type [zen]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:45.090Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3321, + "message": "initialized", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:45.090Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3393, + "message": "starting ...", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:45.482Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.t.TransportService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3476, + "message": "publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:48.816Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.s.MasterService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3627, + "message": "zen-disco-elected-as-master ([0] nodes joined), reason: new_master {vWNJsZ3}{vWNJsZ3nTIKh5a1ai-ftYQ}{WWQIkoohTtWqa2gfWhFq-w}{127.0.0.1}{127.0.0.1:9300}", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:48.826Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.s.ClusterApplierService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 3849, + "message": "new_master {vWNJsZ3}{vWNJsZ3nTIKh5a1ai-ftYQ}{WWQIkoohTtWqa2gfWhFq-w}{127.0.0.1}{127.0.0.1:9300}, reason: apply cluster state (from master [master {vWNJsZ3}{vWNJsZ3nTIKh5a1ai-ftYQ}{WWQIkoohTtWqa2gfWhFq-w}{127.0.0.1}{127.0.0.1:9300} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:48.895Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.h.n.Netty4HttpServerTransport", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 4234, + "message": "publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:48.895Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 4393, + "message": "started", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:49.354Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.g.GatewayService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 4471, + "message": "recovered [1] indices into cluster_state", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:19:50.077Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.AllocationService", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 4582, + "message": "Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[metricbeat-7.0.0-alpha1-2018.05.07][0]] ...]).", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:20:18.871Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 4781, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 32.4gb[13.9%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:20:19.467Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.m.MetaDataCreateIndexService", + "elasticsearch.index.name": "metricbeat-7.0.0-alpha1-2018.05.17", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 5049, + "message": "creating index, cause [auto(bulk api)], templates [metricbeat-7.0.0-alpha1], shards [1]/[1], mappings [doc]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:20:48.886Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 5273, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 32.4gb[13.9%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:21:18.895Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 5541, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:21:48.904Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 5809, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:22:18.911Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 6077, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:22:48.920Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 6345, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:23:18.932Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 6613, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:23:48.941Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 6881, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:24:18.956Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 7149, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:24:48.963Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 7417, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:25:18.976Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 7685, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:25:48.988Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 7953, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:26:18.997Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 8221, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:26:49.009Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 8489, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:27:19.024Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 8757, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:27:49.035Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 9025, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:28:19.048Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 9293, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:28:49.060Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 9561, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:09.245Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.m.MetaDataCreateIndexService", + "elasticsearch.index.name": "filebeat-test-input", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 9829, + "message": "creating index, cause [auto(bulk api)], templates [filebeat-test-input], shards [5]/[1], mappings [doc]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:09.576Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.m.MetaDataMappingService", + "elasticsearch.index.id": "aOGgDwbURfCV57AScqbCgw", + "elasticsearch.index.name": "filebeat-test-input", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10034, + "message": "update_mapping [doc]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:12.177Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.m.MetaDataCreateIndexService", + "elasticsearch.index.name": "test-filebeat-modules", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10175, + "message": "creating index, cause [auto(bulk api)], templates [test-filebeat-modules], shards [5]/[1], mappings [doc]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:12.660Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.m.MetaDataMappingService", + "elasticsearch.index.id": "npNY8YrBQtC7JpFOh1sB0w", + "elasticsearch.index.name": "test-filebeat-modules", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10384, + "message": "update_mapping [doc]", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:19.114Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.c.r.a.DiskThresholdMonitor", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10527, + "message": "low disk watermark [85%] exceeded on [vWNJsZ3nTIKh5a1ai-ftYQ][vWNJsZ3][/Users/ruflin/Downloads/elasticsearch-6.2.4/data/nodes/0] free: 33.4gb[14.3%], replicas will not be assigned to this node", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:25.418Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10795, + "message": "stopping ...", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:25.598Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10878, + "message": "stopped", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:25.598Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 10956, + "message": "closing ...", + "service.type": "elasticsearch" + }, + { + "@timestamp": "2018-05-17T08:29:25.612Z", + "ecs.version": "1.0.0", + "elasticsearch.component": "o.e.n.Node", + "elasticsearch.node.name": "vWNJsZ3", + "event.dataset": "elasticsearch.server", + "event.module": "elasticsearch", + "fileset.name": "server", + "input.type": "log", + "log.level": "INFO", + "log.offset": 11038, + "message": "closed", + "service.type": "elasticsearch" + } +] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/controller-2.0.0.log-expected.json b/filebeat/module/kafka/log/test/controller-2.0.0.log-expected.json new file mode 100644 index 00000000000..6d70907a077 --- /dev/null +++ b/filebeat/module/kafka/log/test/controller-2.0.0.log-expected.json @@ -0,0 +1,313 @@ +[ + { + "@timestamp": "2018-10-31T15:03:32.474Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 0, + "message": "Checking need to trigger auto leader balancing", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.474Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 133, + "message": "Preferred replicas by broker Map(20 -> Map(__consumer_offsets-22 -> Vector(20), __consumer_offsets-4 -> Vector(20), __consumer_offsets-7 -> Vector(20), __consumer_offsets-46 -> Vector(20), __consumer_offsets-25 -> Vector(20), __consumer_offsets-49 -> Vector(20), __consumer_offsets-16 -> Vector(20), test-0 -> Vector(20, 30, 10), __consumer_offsets-28 -> Vector(20), __consumer_offsets-31 -> Vector(20), test-2-2 -> Vector(20, 30), __consumer_offsets-37 -> Vector(20), filebeat-system-0 -> Vector(20), test-3-3 -> Vector(20, 30), __consumer_offsets-19 -> Vector(20), __consumer_offsets-13 -> Vector(20), __consumer_offsets-43 -> Vector(20), __consumer_offsets-1 -> Vector(20), __consumer_offsets-34 -> Vector(20), __consumer_offsets-10 -> Vector(20), test-3 -> Vector(20, 10, 30), __consumer_offsets-40 -> Vector(20)), 10 -> Map(__consumer_offsets-30 -> Vector(10), __consumer_offsets-21 -> Vector(10), __consumer_offsets-27 -> Vector(10), __consumer_offsets-9 -> Vector(10), __consumer_offsets-33 -> Vector(10), __consumer_offsets-36 -> Vector(10), __consumer_offsets-42 -> Vector(10), __consumer_offsets-3 -> Vector(10), __consumer_offsets-18 -> Vector(10), test-5 -> Vector(10, 30, 20), __consumer_offsets-15 -> Vector(10), __consumer_offsets-24 -> Vector(10), test-3-1 -> Vector(10, 20), __consumer_offsets-48 -> Vector(10), filebeat-kafka-0 -> Vector(10), __consumer_offsets-6 -> Vector(10), test-2-1 -> Vector(10, 20), test-3-2 -> Vector(10, 30), __consumer_offsets-0 -> Vector(10), __consumer_offsets-39 -> Vector(10), __consumer_offsets-12 -> Vector(10), __consumer_offsets-45 -> Vector(10), test-2 -> Vector(10, 20, 30)), 30 -> Map(__consumer_offsets-8 -> Vector(30), __consumer_offsets-35 -> Vector(30), __consumer_offsets-41 -> Vector(30), __consumer_offsets-23 -> Vector(30), __consumer_offsets-47 -> Vector(30), metricbeat-0 -> Vector(30), test-3-0 -> Vector(30, 10), metricbeat-kafka-0 -> Vector(30), filebeat-0 -> Vector(30), test-2-0 -> Vector(30, 10), __consumer_offsets-38 -> Vector(30), __consumer_offsets-17 -> Vector(30), test-1 -> Vector(30, 10, 20), test-2-3 -> Vector(30, 20), __consumer_offsets-11 -> Vector(30), __consumer_offsets-2 -> Vector(30), __consumer_offsets-14 -> Vector(30), test-4 -> Vector(30, 20, 10), metricbeat-system-0 -> Vector(30), __consumer_offsets-20 -> Vector(30), __consumer_offsets-44 -> Vector(30), __consumer_offsets-5 -> Vector(30), __consumer_offsets-26 -> Vector(30), __consumer_offsets-29 -> Vector(30), __consumer_offsets-32 -> Vector(30)))", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.474Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 2717, + "message": "Topics not in preferred replica for broker 20 Map()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 2855, + "message": "Leader imbalance ratio for broker 20 is 0.0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 2985, + "message": "Topics not in preferred replica for broker 10 Map(test-3-1 -> Vector(10, 20))", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 3149, + "message": "Leader imbalance ratio for broker 10 is 0.043478260869565216", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 3296, + "message": "Topics not in preferred replica for broker 30 Map()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:03:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 3434, + "message": "Leader imbalance ratio for broker 30 is 0.0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 3564, + "message": "Checking need to trigger auto leader balancing", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 3697, + "message": "Preferred replicas by broker Map(20 -> Map(__consumer_offsets-22 -> Vector(20), __consumer_offsets-4 -> Vector(20), __consumer_offsets-7 -> Vector(20), __consumer_offsets-46 -> Vector(20), __consumer_offsets-25 -> Vector(20), __consumer_offsets-49 -> Vector(20), __consumer_offsets-16 -> Vector(20), test-0 -> Vector(20, 30, 10), __consumer_offsets-28 -> Vector(20), __consumer_offsets-31 -> Vector(20), test-2-2 -> Vector(20, 30), __consumer_offsets-37 -> Vector(20), filebeat-system-0 -> Vector(20), test-3-3 -> Vector(20, 30), __consumer_offsets-19 -> Vector(20), __consumer_offsets-13 -> Vector(20), __consumer_offsets-43 -> Vector(20), __consumer_offsets-1 -> Vector(20), __consumer_offsets-34 -> Vector(20), __consumer_offsets-10 -> Vector(20), test-3 -> Vector(20, 10, 30), __consumer_offsets-40 -> Vector(20)), 10 -> Map(__consumer_offsets-30 -> Vector(10), __consumer_offsets-21 -> Vector(10), __consumer_offsets-27 -> Vector(10), __consumer_offsets-9 -> Vector(10), __consumer_offsets-33 -> Vector(10), __consumer_offsets-36 -> Vector(10), __consumer_offsets-42 -> Vector(10), __consumer_offsets-3 -> Vector(10), __consumer_offsets-18 -> Vector(10), test-5 -> Vector(10, 30, 20), __consumer_offsets-15 -> Vector(10), __consumer_offsets-24 -> Vector(10), test-3-1 -> Vector(10, 20), __consumer_offsets-48 -> Vector(10), filebeat-kafka-0 -> Vector(10), __consumer_offsets-6 -> Vector(10), test-2-1 -> Vector(10, 20), test-3-2 -> Vector(10, 30), __consumer_offsets-0 -> Vector(10), __consumer_offsets-39 -> Vector(10), __consumer_offsets-12 -> Vector(10), __consumer_offsets-45 -> Vector(10), test-2 -> Vector(10, 20, 30)), 30 -> Map(__consumer_offsets-8 -> Vector(30), __consumer_offsets-35 -> Vector(30), __consumer_offsets-41 -> Vector(30), __consumer_offsets-23 -> Vector(30), __consumer_offsets-47 -> Vector(30), metricbeat-0 -> Vector(30), test-3-0 -> Vector(30, 10), metricbeat-kafka-0 -> Vector(30), filebeat-0 -> Vector(30), test-2-0 -> Vector(30, 10), __consumer_offsets-38 -> Vector(30), __consumer_offsets-17 -> Vector(30), test-1 -> Vector(30, 10, 20), test-2-3 -> Vector(30, 20), __consumer_offsets-11 -> Vector(30), __consumer_offsets-2 -> Vector(30), __consumer_offsets-14 -> Vector(30), test-4 -> Vector(30, 20, 10), metricbeat-system-0 -> Vector(30), __consumer_offsets-20 -> Vector(30), __consumer_offsets-44 -> Vector(30), __consumer_offsets-5 -> Vector(30), __consumer_offsets-26 -> Vector(30), __consumer_offsets-29 -> Vector(30), __consumer_offsets-32 -> Vector(30)))", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 6281, + "message": "Topics not in preferred replica for broker 20 Map()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 6419, + "message": "Leader imbalance ratio for broker 20 is 0.0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 6549, + "message": "Topics not in preferred replica for broker 10 Map(test-3-1 -> Vector(10, 20))", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 6713, + "message": "Leader imbalance ratio for broker 10 is 0.043478260869565216", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "DEBUG", + "log.offset": 6860, + "message": "Topics not in preferred replica for broker 30 Map()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:08:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "TRACE", + "log.offset": 6998, + "message": "Leader imbalance ratio for broker 30 is 0.0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:09:30.306Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "INFO", + "log.offset": 7128, + "message": "New topics: [Set(foo)], deleted topics: [Set()], new partition replica assignment [Map(foo-0 -> Vector(20))]", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:09:30.307Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.level": "INFO", + "log.offset": 7322, + "message": "New partition creation callback for foo-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:09:30.396Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "RequestSendThread controllerId=10", + "log.level": "INFO", + "log.offset": 7449, + "message": "Controller 10 connected to 10.122.220.20:9094 (id: 20 rack: null) for sending state change requests", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:09:30.397Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "RequestSendThread controllerId=10", + "log.level": "INFO", + "log.offset": 7653, + "message": "Controller 10 connected to 10.122.220.20:9093 (id: 10 rack: null) for sending state change requests", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:09:30.396Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.RequestSendThread", + "kafka.log.component": "RequestSendThread controllerId=10", + "log.level": "INFO", + "log.offset": 7857, + "message": "Controller 10 connected to 10.122.220.20:9095 (id: 30 rack: null) for sending state change requests", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-31T15:13:32.475Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.controller.KafkaController", + "kafka.log.component": "Controller id=10", + "log.flags": [ + "multiline" + ], + "log.level": "TRACE", + "log.offset": 8061, + "message": "Checking need to trigger auto leader balancing", + "service.type": "kafka" + } +] \ No newline at end of file diff --git a/filebeat/module/kafka/log/test/server-2.0.0.log-expected.json b/filebeat/module/kafka/log/test/server-2.0.0.log-expected.json new file mode 100644 index 00000000000..6fa2ebd1ec8 --- /dev/null +++ b/filebeat/module/kafka/log/test/server-2.0.0.log-expected.json @@ -0,0 +1,1407 @@ +[ + { + "@timestamp": "2018-10-17T12:04:41.718Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 0, + "message": "Removed 0 expired offsets in 0 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:14:41.719Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 158, + "message": "Removed 0 expired offsets in 1 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:24:41.719Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 316, + "message": "Removed 0 expired offsets in 1 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:34:41.719Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 474, + "message": "Removed 0 expired offsets in 0 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:44:41.719Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 632, + "message": "Removed 0 expired offsets in 1 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.313Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 790, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.314Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-3 broker=10", + "log.level": "INFO", + "log.offset": 933, + "message": "test-3 starts at Leader Epoch 1 from offset 0. Previous Leader Epoch was: 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.321Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 1095, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.322Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 1238, + "message": "Added fetcher for partitions List([test-0, initOffset 0 to broker BrokerEndPoint(30,10.122.220.20,9095)] )", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.322Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 1450, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.323Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 1601, + "message": "Shutting down", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.323Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "org.apache.kafka.clients.FetchSessionHandler", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 1738, + "message": "Error sending fetch request (sessionId=1901923426, epoch=30531) to node 20: java.nio.channels.ClosedSelectorException.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.324Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 1991, + "message": "Stopped", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.331Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 2122, + "message": "Shutdown completed", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.348Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 2264, + "message": "Removed fetcher for partitions test-5,test-2,test-2-1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.348Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-5 broker=10", + "log.level": "INFO", + "log.offset": 2423, + "message": "test-5 starts at Leader Epoch 1 from offset 0. Previous Leader Epoch was: 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.350Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-2 broker=10", + "log.level": "INFO", + "log.offset": 2585, + "message": "test-2 starts at Leader Epoch 1 from offset 0. Previous Leader Epoch was: 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.351Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-2-1 broker=10", + "log.level": "INFO", + "log.offset": 2747, + "message": "test-2-1 starts at Leader Epoch 1 from offset 0. Previous Leader Epoch was: 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.355Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 2913, + "message": "Removed fetcher for partitions ", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.360Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 3050, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.361Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 3191, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.421Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "WARN", + "log.offset": 3342, + "message": "Based on follower's leader epoch, leader replied with an unknown offset in test-0. The initial fetch offset 0 will be used for truncation.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:23.421Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-0, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 3604, + "message": "Truncating to 0 has no effect as the largest offset in the log is -1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:50:24.508Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 3767, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:51:56.064Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-5 broker=10", + "log.level": "INFO", + "log.offset": 3918, + "message": "Expanding ISR from 10,30 to 10,30,20", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:51:56.091Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-3 broker=10", + "log.level": "INFO", + "log.offset": 4041, + "message": "Expanding ISR from 10,30 to 10,30,20", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:51:56.098Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-2 broker=10", + "log.level": "INFO", + "log.offset": 4164, + "message": "Expanding ISR from 10,30 to 10,30,20", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:51:56.104Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-2-1 broker=10", + "log.level": "INFO", + "log.offset": 4287, + "message": "Expanding ISR from 10 to 10,20", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.461Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 4406, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.481Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 4549, + "message": "Added fetcher for partitions List([test-0, initOffset 0 to broker BrokerEndPoint(20,10.122.220.20,9094)] )", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.482Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 4761, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.483Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 4912, + "message": "Starting", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.501Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "WARN", + "log.offset": 5044, + "message": "Based on follower's leader epoch, leader replied with an unknown offset in test-0. The initial fetch offset 0 will be used for truncation.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.504Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-0, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 5306, + "message": "Truncating to 0 has no effect as the largest offset in the log is -1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.504Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 5469, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.508Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 5612, + "message": "Added fetcher for partitions List([test-3, initOffset 0 to broker BrokerEndPoint(20,10.122.220.20,9094)] )", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:31.510Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 5824, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:32.043Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "WARN", + "log.offset": 5975, + "message": "Based on follower's leader epoch, leader replied with an unknown offset in test-3. The initial fetch offset 0 will be used for truncation.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:32.044Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 6237, + "message": "Truncating to 0 has no effect as the largest offset in the log is -1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:54:41.719Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.coordinator.group.GroupMetadataManager", + "kafka.log.component": "GroupMetadataManager brokerId=10", + "log.level": "INFO", + "log.offset": 6400, + "message": "Removed 0 expired offsets in 0 milliseconds.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.790Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 6558, + "message": "Removed fetcher for partitions test-3-2", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.809Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3-2, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 6703, + "message": "Loading producer state till offset 0 with message format version 2", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.810Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3-2, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 6866, + "message": "Completed load of log with 1 segments, log start offset 0 and log end offset 0 in 2 ms", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.812Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.LogManager", + "kafka.log.component": "delete", + "log.level": "INFO", + "log.offset": 7049, + "message": "flush.ms -> 9223372036854775807, segment.ms -> 604800000, segment.bytes -> 1073741824, retention.ms -> 604800000, message.timestamp.difference.max.ms -> 9223372036854775807, segment.index.bytes -> 10485760, flush.messages -> 9223372036854775807}.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.816Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-3-2 broker=10", + "log.level": "INFO", + "log.offset": 7916, + "message": "No checkpointed highwatermark is found for partition test-3-2", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.816Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Replica", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 8066, + "message": "Replica loaded for partition test-3-2 with initial high watermark 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.816Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Replica", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 8189, + "message": "Replica loaded for partition test-3-2 with initial high watermark 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.816Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-3-2 broker=10", + "log.level": "INFO", + "log.offset": 8312, + "message": "test-3-2 starts at Leader Epoch 0 from offset 0. Previous Leader Epoch was: -1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.817Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Replica", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 8479, + "message": "Replica loaded for partition test-3-0 with initial high watermark 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.833Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3-0, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 8602, + "message": "Loading producer state till offset 0 with message format version 2", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.833Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3-0, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 8765, + "message": "Completed load of log with 1 segments, log start offset 0 and log end offset 0 in 5 ms", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.835Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.LogManager", + "kafka.log.component": "delete", + "log.level": "INFO", + "log.offset": 8948, + "message": "flush.ms -> 9223372036854775807, segment.ms -> 604800000, segment.bytes -> 1073741824, retention.ms -> 604800000, message.timestamp.difference.max.ms -> 9223372036854775807, segment.index.bytes -> 10485760, flush.messages -> 9223372036854775807}.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.836Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Partition", + "kafka.log.component": "Partition test-3-0 broker=10", + "log.level": "INFO", + "log.offset": 9815, + "message": "No checkpointed highwatermark is found for partition test-3-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.836Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.cluster.Replica", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 9965, + "message": "Replica loaded for partition test-3-0 with initial high watermark 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.837Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 10088, + "message": "Removed fetcher for partitions test-3-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.838Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 10233, + "message": "Added fetcher for partitions List([test-3-0, initOffset 0 to broker BrokerEndPoint(30,10.122.220.20,9095)] )", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.839Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 10447, + "message": "Added fetcher for partitions List()", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.896Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "WARN", + "log.offset": 10598, + "message": "Based on follower's leader epoch, leader replied with an unknown offset in test-3-0. The initial fetch offset 0 will be used for truncation.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:17.897Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.log.Log", + "kafka.log.component": "Log partition=test-3-0, dir=/tmp/kafka-logs-10", + "log.level": "INFO", + "log.offset": 10862, + "message": "Truncating to 0 has no effect as the largest offset in the log is -1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:57:18.400Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "kafka.log.trace.class": "org.apache.kafka.common.errors.UnknownTopicOrPartitionException", + "kafka.log.trace.message": "This server does not host this topic-partition.", + "log.flags": [ + "multiline" + ], + "log.level": "ERROR", + "log.offset": 11027, + "message": "Error for partition test-3-0 at offset 0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.490Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "org.apache.kafka.common.utils.LoggingSignalHandler", + "kafka.log.component": "unknown", + "log.level": "INFO", + "log.offset": 11305, + "message": "Terminating process due to signal SIGTERM", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.492Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.KafkaServer", + "kafka.log.component": "KafkaServer id=10", + "log.level": "INFO", + "log.offset": 11431, + "message": "shutting down", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.494Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.KafkaServer", + "kafka.log.component": "KafkaServer id=10", + "log.level": "INFO", + "log.offset": 11523, + "message": "Starting controlled shutdown", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.547Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 11630, + "message": "Removed fetcher for partitions ", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.550Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 11767, + "message": "Removed fetcher for partitions ", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.556Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 11914, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.556Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 12057, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.558Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 12210, + "message": "Removed fetcher for partitions test-3-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.558Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 12355, + "message": "Removed fetcher for partitions test-3-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.561Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 12510, + "message": "Removed fetcher for partitions test-2-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.561Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 12655, + "message": "Removed fetcher for partitions test-2-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.567Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 12810, + "message": "Removed fetcher for partitions test-1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.567Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 12953, + "message": "Removed fetcher for partitions test-1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.568Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 13106, + "message": "Removed fetcher for partitions test-4", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.568Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 13249, + "message": "Removed fetcher for partitions test-4", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.568Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "INFO", + "log.offset": 13402, + "message": "Shutting down", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.577Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "org.apache.kafka.clients.FetchSessionHandler", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "INFO", + "log.offset": 13539, + "message": "Error sending fetch request (sessionId=461323381, epoch=31537) to node 30: java.nio.channels.ClosedSelectorException.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.577Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "INFO", + "log.offset": 13791, + "message": "Stopped", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.583Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=30, fetcherId=0", + "log.level": "INFO", + "log.offset": 13922, + "message": "Shutdown completed", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.585Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 14064, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.586Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 14207, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.594Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 14360, + "message": "Shutting down", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.601Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "org.apache.kafka.clients.FetchSessionHandler", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 14497, + "message": "Error sending fetch request (sessionId=1016438239, epoch=510) to node 20: java.nio.channels.ClosedSelectorException.", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.602Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 14748, + "message": "Stopped", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.602Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherThread", + "kafka.log.component": "ReplicaFetcher replicaId=10, leaderId=20, fetcherId=0", + "log.level": "INFO", + "log.offset": 14879, + "message": "Shutdown completed", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.604Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.KafkaServer", + "kafka.log.component": "KafkaServer id=10", + "log.level": "INFO", + "log.offset": 15021, + "message": "Controlled shutdown succeeded", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.605Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.common.ZkNodeChangeNotificationListener$ChangeEventProcessThread", + "kafka.log.component": "/config/changes-event-process-thread", + "log.level": "INFO", + "log.offset": 15129, + "message": "Shutting down", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.606Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.common.ZkNodeChangeNotificationListener$ChangeEventProcessThread", + "kafka.log.component": "/config/changes-event-process-thread", + "log.level": "INFO", + "log.offset": 15287, + "message": "Stopped", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.606Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 15439, + "message": "Removed fetcher for partitions ", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.606Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 15576, + "message": "Removed fetcher for partitions ", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.606Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.common.ZkNodeChangeNotificationListener$ChangeEventProcessThread", + "kafka.log.component": "/config/changes-event-process-thread", + "log.level": "INFO", + "log.offset": 15723, + "message": "Shutdown completed", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.607Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.network.SocketServer", + "kafka.log.component": "SocketServer brokerId=10", + "log.level": "INFO", + "log.offset": 15886, + "message": "Stopping socket server request processors", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.608Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 16015, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.608Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 16158, + "message": "Removed fetcher for partitions test-3", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.609Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 16311, + "message": "Removed fetcher for partitions test-1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.609Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 16454, + "message": "Removed fetcher for partitions test-1", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.610Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 16607, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.610Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 16750, + "message": "Removed fetcher for partitions test-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.611Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaFetcherManager", + "kafka.log.component": "ReplicaFetcherManager on broker 10", + "log.level": "INFO", + "log.offset": 16903, + "message": "Removed fetcher for partitions test-3-0", + "service.type": "kafka" + }, + { + "@timestamp": "2018-10-17T12:58:47.611Z", + "ecs.version": "1.0.0", + "event.dataset": "kafka.log", + "event.module": "kafka", + "fileset.name": "log", + "input.type": "log", + "kafka.log.class": "kafka.server.ReplicaAlterLogDirsManager", + "kafka.log.component": "ReplicaAlterLogDirsManager on broker 10", + "log.level": "INFO", + "log.offset": 17048, + "message": "Removed fetcher for partitions test-3-0", + "service.type": "kafka" + } +] \ No newline at end of file diff --git a/filebeat/module/kibana/log/test/log.624.log-expected.json b/filebeat/module/kibana/log/test/log.624.log-expected.json new file mode 100644 index 00000000000..675d68259a9 --- /dev/null +++ b/filebeat/module/kibana/log/test/log.624.log-expected.json @@ -0,0 +1,2434 @@ +[ + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:kibana@6.3.0", + "info" + ], + "log.offset": 0, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:elasticsearch@6.3.0", + "info" + ], + "log.offset": 243, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:xpack_main@6.3.0", + "info" + ], + "log.offset": 515, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:searchprofiler@6.3.0", + "info" + ], + "log.offset": 784, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:ml@6.3.0", + "info" + ], + "log.offset": 1057, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:tilemap@6.3.0", + "info" + ], + "log.offset": 1318, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:watcher@6.3.0", + "info" + ], + "log.offset": 1584, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:license_management@6.3.0", + "info" + ], + "log.offset": 1850, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:index_management@6.3.0", + "info" + ], + "log.offset": 2105, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:timelion@6.3.0", + "info" + ], + "log.offset": 2358, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:graph@6.3.0", + "info" + ], + "log.offset": 2603, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:monitoring@6.3.0", + "info" + ], + "log.offset": 2867, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:security@6.3.0", + "info" + ], + "log.offset": 3114, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "security", + "warning" + ], + "log.offset": 3381, + "message": "Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "security", + "warning" + ], + "log.offset": 3653, + "message": "Session cookies will be transmitted over insecure connections. This is not recommended.", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:grokdebugger@6.3.0", + "info" + ], + "log.offset": 3846, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:dashboard_mode@6.3.0", + "info" + ], + "log.offset": 4117, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:logstash@6.3.0", + "info" + ], + "log.offset": 4368, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:apm@6.3.0", + "info" + ], + "log.offset": 4635, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:console@6.3.0", + "info" + ], + "log.offset": 4875, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:console_extensions@6.3.0", + "info" + ], + "log.offset": 5119, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:metrics@6.3.0", + "info" + ], + "log.offset": 5374, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "warning" + ], + "log.offset": 5618, + "message": "Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:reporting@6.3.0", + "info" + ], + "log.offset": 5890, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "listening", + "info" + ], + "log.offset": 6158, + "message": "Server running at http://localhost:5601", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:elasticsearch@6.3.0", + "info" + ], + "log.offset": 6301, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "info", + "xpack" + ], + "log.offset": 6549, + "message": "Imported license information from Elasticsearch for the [data] cluster: mode: basic | status: active | expiry date: Invalid date", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:xpack_main@6.3.0", + "info" + ], + "log.offset": 6787, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:searchprofiler@6.3.0", + "info" + ], + "log.offset": 7032, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:ml@6.3.0", + "info" + ], + "log.offset": 7281, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:tilemap@6.3.0", + "info" + ], + "log.offset": 7518, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:watcher@6.3.0", + "info" + ], + "log.offset": 7760, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:graph@6.3.0", + "info" + ], + "log.offset": 8002, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:security@6.3.0", + "info" + ], + "log.offset": 8242, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:grokdebugger@6.3.0", + "info" + ], + "log.offset": 8485, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:logstash@6.3.0", + "info" + ], + "log.offset": 8732, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:reporting@6.3.0", + "info" + ], + "log.offset": 8975, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "info", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 9219, + "message": "Starting all Kibana monitoring collectors", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:35.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "info", + "xpack" + ], + "log.offset": 9388, + "message": "Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active | expiry date: Invalid date", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:57:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 68000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.response.body.bytes": 9, + "http.response.status_code": 200, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.upgrade-insecure-requests": "1", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 9632, + "message": "GET / 200 68ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 224000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/", + "http.response.body.bytes": 9, + "http.response.status_code": 200, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.upgrade-insecure-requests": "1", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 10332, + "message": "GET /app/kibana 200 224ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/app/kibana", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 43000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"d1d40f3af2904b0fe2832615909d39cc87d63bec-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 11124, + "message": "GET /bundles/app/kibana/bootstrap.js 304 43ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/app/kibana/bootstrap.js", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 30000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "text/css,*/*;q=0.1", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"63a7e0fe485c0cf6bd57434a91c2f2e485bf2d32-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 11930, + "message": "GET /bundles/kibana.style.css 304 30ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/kibana.style.css", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 32000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"8e183c2e644fb050707d89402e1f7a120a95e4d2\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 12747, + "message": "GET /ui/favicons/favicon-32x32.png 304 32ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/favicons/favicon-32x32.png", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 75000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "text/css,*/*;q=0.1", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"d9ef83163859bff075ba5d6e1c4ce799d32ba8bc-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 13632, + "message": "GET /bundles/vendors.style.css 304 75ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/vendors.style.css", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 54000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "text/css,*/*;q=0.1", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"abe65868d7050c7459af42ab0a0f4c19889532b1-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 14451, + "message": "GET /bundles/commons.style.css 304 54ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/commons.style.css", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 13000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"13b869be5df4bdc56920edc16a28e67a7c08203b\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 15270, + "message": "GET /ui/favicons/favicon-16x16.png 304 13ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/favicons/favicon-16x16.png", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 131000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"333ee3fdd2264402ad73b95fab3fc725beb24674-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 16155, + "message": "GET /bundles/vendors.bundle.js 304 131ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/vendors.bundle.js", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 25000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"c052cafa0b661261d8ee3d16eff7bb0548fd8b6e-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 16961, + "message": "GET /bundles/commons.bundle.js 304 25ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/commons.bundle.js", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 18000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-none-match": "\"43e987f5a0e6423dd63e190cfacf091932021817-/bundles/-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 17765, + "message": "GET /bundles/kibana.bundle.js 304 18ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/kibana.bundle.js", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:54.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 5000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"2c07a9656f1e38da408f20f1cf11581a15cbd7a2\"", + "kibana.log.meta.req.headers.origin": "http://localhost:5601", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 18567, + "message": "GET /ui/fonts/open_sans/open_sans_v15_latin_regular.woff2 304 5ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/fonts/open_sans/open_sans_v15_latin_regular.woff2", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:54.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 181000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 200, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "application/json, text/javascript, */*; q=0.01", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.kbn-version": "6.3.0", + "kibana.log.meta.req.headers.x-requested-with": "XMLHttpRequest", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 19493, + "message": "GET /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_5_0 200 181ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=es_5_0", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 10000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"4cc79a4d91bd0380d0c82a6b092f339d185670ef-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 20408, + "message": "GET /plugins/kibana/assets/visualize.svg 304 10ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/visualize.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 13000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"c4035451a8e776d0f0cd354a825ec432ad06884e-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 21310, + "message": "GET /plugins/kibana/assets/discover.svg 304 13ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/discover.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 19000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"42c2161fa64691414784868afdd722444460763a-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 22210, + "message": "GET /plugins/kibana/assets/dashboard.svg 304 19ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/dashboard.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 27000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:27 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"cb793d5314d680b7d5ce130f0393a70b51989541-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 23112, + "message": "GET /plugins/timelion/icon.svg 304 27ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/timelion/icon.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 28000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"cdb6515bc1340e806d4f17cbeea6a51eb5f40732-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 23994, + "message": "GET /plugins/apm/icon.svg 304 28ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/apm/icon.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 24000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"088a9a98c99e406dca2354af14f688ad84826b97-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 24866, + "message": "GET /plugins/kibana/assets/wrench.svg 304 24ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/wrench.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 26000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"a41ecd3d2ac0a1e77a72845479fc416658c609f8-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 25762, + "message": "GET /plugins/monitoring/icons/monitoring.svg 304 26ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/monitoring/icons/monitoring.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 22000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"4f859e27d4917026ff1590805887902b14ce79d5-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 26672, + "message": "GET /plugins/kibana/assets/settings.svg 304 22ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/settings.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 22000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"becef0294f6fdb73b9bf3ce52750e7e1b246e88f-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 27572, + "message": "GET /plugins/security/images/person.svg 304 22ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/security/images/person.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 17000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"668bb08fe12a79ded121708cef3beebc475a2bea-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 28472, + "message": "GET /plugins/security/images/logout.svg 304 17ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/security/images/logout.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 15000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"2433ecf38258f7121c835670b6993600e7657717-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 29372, + "message": "GET /plugins/kibana/assets/play-circle.svg 304 15ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/play-circle.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 129000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 200, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "application/json, text/plain, */*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.kbn-version": "6.3.0", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 30278, + "message": "GET /api/saved_objects/_find?type=index-pattern&per_page=10000&page=1 200 129ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/api/saved_objects/_find?type=index-pattern&per_page=10000&page=1", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 5000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/bundles/commons.style.css", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:54:49 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"eacd5acd1258d9b09e78dbc1958744f30e38bcbd-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 31136, + "message": "GET /bundles/ebdca7741674eca4e1fadeca157f3ae6.svg 304 5ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/bundles/ebdca7741674eca4e1fadeca157f3ae6.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 3000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"8e183c2e644fb050707d89402e1f7a120a95e4d2\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 32084, + "message": "GET /ui/favicons/favicon-32x32.png 304 3ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/favicons/favicon-32x32.png", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 5000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 200, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "application/json, text/plain, */*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.kbn-version": "6.3.0", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 32967, + "message": "GET /api/xpack/v1/info 200 5ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/api/xpack/v1/info", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 15000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"457dc00b37f24a612e3e51bf323121ffdb4386dd-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 33727, + "message": "GET /plugins/kibana/assets/app_monitoring.svg 304 15ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_monitoring.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 17000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"6561a902856504eaf56de28322529e13881654af-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 34639, + "message": "GET /plugins/kibana/assets/app_apm.svg 304 17ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_apm.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 20000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"1c8bf6856f43e3624697a537b3cec2fe995134b9-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 35537, + "message": "GET /plugins/kibana/assets/app_logging.svg 304 20ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_logging.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 23000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"63fbb8a8097faaab028c60c5bfe4fb3564b54617-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 36443, + "message": "GET /plugins/kibana/assets/app_discover.svg 304 23ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_discover.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 26000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"b4261017978445223123954c34d7f62499a61e72-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 37351, + "message": "GET /plugins/kibana/assets/app_dashboard.svg 304 26ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_dashboard.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 28000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"154317cbb2d2fb1a29cc4ea1fce567e006b73451-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 38261, + "message": "GET /plugins/kibana/assets/app_security.svg 304 28ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_security.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 4000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"51bf11135e7f37b7a9043190b668e9937c3bfeea-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 39169, + "message": "GET /plugins/graph/assets/app_graph.svg 304 4ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/graph/assets/app_graph.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 7000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"83ce11e8c3f1541a87bd6a4f79db4fb7bb87b93b-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 40067, + "message": "GET /plugins/ml/assets/app_ml.svg 304 7ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/ml/assets/app_ml.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 7000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"f9495c0fc17cac4af10c948301bf08c1a45911db-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 40953, + "message": "GET /plugins/kibana/assets/app_timelion.svg 304 7ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_timelion.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 30000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"11273d325dd73b3f8b3eee569b56068b690d6d9e-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 41859, + "message": "GET /plugins/kibana/assets/app_visualize.svg 304 30ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_visualize.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 20000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"5a6a45d6f98752b11ccb7c4f0f6fd7faf18ad1a7\"", + "kibana.log.meta.req.headers.origin": "http://localhost:5601", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 42769, + "message": "GET /ui/fonts/open_sans/open_sans_v15_latin_700.woff2 304 20ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/fonts/open_sans/open_sans_v15_latin_700.woff2", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 21000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"25044a6e1d5e83bb615c5971068f0c5152c77ef1-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 43689, + "message": "GET /plugins/kibana/assets/app_console.svg 304 21ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_console.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 26000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "*/*", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"24234c1c81b3948758c1a0be8e5a65386ca94c52\"", + "kibana.log.meta.req.headers.origin": "http://localhost:5601", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 44595, + "message": "GET /ui/fonts/open_sans/open_sans_v15_latin_600.woff2 304 26ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/fonts/open_sans/open_sans_v15_latin_600.woff2", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 34000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"4f29178ca608fa80e8dd4574ba430d2e1c35c696-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 45515, + "message": "GET /plugins/kibana/assets/app_index_pattern.svg 304 34ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_index_pattern.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 44000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:26 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"55ba19c1c215bd5631cd99fca8f5792acc0a7296-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 46433, + "message": "GET /plugins/kibana/assets/app_saved_objects.svg 304 44ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/kibana/assets/app_saved_objects.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 14000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:56:42 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"ae65d07bcf6e13b041a12384c8a3219c2a1e3f1c-gzip\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 47351, + "message": "GET /plugins/watcher/assets/app_watches.svg 304 14ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/plugins/watcher/assets/app_watches.svg", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + }, + { + "@timestamp": "2018-05-09T10:57:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.duration": 5000000, + "event.module": "kibana", + "fileset.name": "log", + "http.request.method": "get", + "http.request.referrer": "http://localhost:5601/app/kibana", + "http.response.body.bytes": 9, + "http.response.status_code": 304, + "input.type": "log", + "kibana.log.meta.req.headers.accept": "image/webp,image/apng,image/*,*/*;q=0.8", + "kibana.log.meta.req.headers.accept-encoding": "gzip, deflate, br", + "kibana.log.meta.req.headers.accept-language": "en-US,en;q=0.9,de;q=0.8", + "kibana.log.meta.req.headers.connection": "keep-alive", + "kibana.log.meta.req.headers.host": "localhost:5601", + "kibana.log.meta.req.headers.if-modified-since": "Thu, 03 May 2018 09:45:28 GMT", + "kibana.log.meta.req.headers.if-none-match": "\"13b869be5df4bdc56920edc16a28e67a7c08203b\"", + "kibana.log.meta.req.userAgent": "127.0.0.1", + "kibana.log.meta.type": "response", + "kibana.log.tags": [], + "log.offset": 48259, + "message": "GET /ui/favicons/favicon-16x16.png 304 5ms - 9.0B", + "process.pid": 69410, + "service.name": [ + "kibana" + ], + "service.type": "kibana", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/ui/favicons/favicon-16x16.png", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" + } +] \ No newline at end of file diff --git a/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json b/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json new file mode 100644 index 00000000000..e197699a009 --- /dev/null +++ b/filebeat/module/kibana/log/test/log.verbose.624.log-expected.json @@ -0,0 +1,2243 @@ +[ + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 0, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.load.concurrents.5601": 0, + "kibana.log.meta.load.sockets.http.total": 0, + "kibana.log.meta.load.sockets.https.total": 0, + "kibana.log.meta.os.load": [ + 4.75537109375, + 5.1513671875, + 4.4111328125 + ], + "kibana.log.meta.os.mem.free": 101990400, + "kibana.log.meta.os.mem.total": 17179869184, + "kibana.log.meta.os.uptime": 622892, + "kibana.log.meta.proc.delay": 1.456926941871643, + "kibana.log.meta.proc.mem.external": 50628, + "kibana.log.meta.proc.mem.heapTotal": 209911808, + "kibana.log.meta.proc.mem.heapUsed": 119288176, + "kibana.log.meta.proc.mem.rss": 236576768, + "kibana.log.meta.proc.uptime": 22.791, + "kibana.log.meta.type": "ops", + "kibana.log.tags": [], + "log.offset": 276, + "message": "memory: 113.8MB uptime: 0:00:23 load: [4.76 5.15 4.41] delay: 1.457", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/console", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 799, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/console", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/elasticsearch", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 1085, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/input_control_vis", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 1383, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/input_control_vis", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_doc_views", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 1689, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_doc_views", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_vislib_vis_types", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 1987, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kbn_vislib_vis_types", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 2299, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/markdown_vis", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 2583, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/markdown_vis", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metric_vis", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 2879, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metric_vis", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metrics", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 3171, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/metrics", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/region_map", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 3457, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/region_map", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/spy_modes", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 3749, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/spy_modes", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/state_session_storage_redirect", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 4039, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/state_session_storage_redirect", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/status_page", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 4371, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/status_page", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/table_vis", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 4665, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/table_vis", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tagcloud", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 4955, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tagcloud", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tile_map", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 5243, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/tile_map", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/timelion", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 5531, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/timelion", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:58:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.path": "/Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/vega", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 5819, + "message": "Found plugin at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/src/core_plugins/vega", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "optimize" + ], + "log.offset": 6099, + "message": "All bundles are cached and ready to go!", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.config.@elastic/eslint-import-resolver-kibana.projectRoot": false, + "kibana.log.meta.plugin.name": "kibana", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 6242, + "message": "Initializing plugin kibana@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:kibana@6.3.0", + "info" + ], + "log.offset": 6498, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "elasticsearch", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 6741, + "message": "Initializing plugin elasticsearch@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:elasticsearch@6.3.0", + "info" + ], + "log.offset": 6937, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:xpack_main@6.3.0", + "info" + ], + "log.offset": 9719, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:searchprofiler@6.3.0", + "info" + ], + "log.offset": 12502, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:ml@6.3.0", + "info" + ], + "log.offset": 15277, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "kbn_vislib_vis_types", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 15538, + "message": "Initializing plugin kbn_vislib_vis_types@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:tilemap@6.3.0", + "info" + ], + "log.offset": 18255, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:watcher@6.3.0", + "info" + ], + "log.offset": 21028, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:license_management@6.3.0", + "info" + ], + "log.offset": 23812, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:index_management@6.3.0", + "info" + ], + "log.offset": 26583, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "input_control_vis", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 26836, + "message": "Initializing plugin input_control_vis@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "kbn_doc_views", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27040, + "message": "Initializing plugin kbn_doc_views@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "markdown_vis", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27236, + "message": "Initializing plugin markdown_vis@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "metric_vis", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27430, + "message": "Initializing plugin metric_vis@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "region_map", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27620, + "message": "Initializing plugin region_map@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "spy_modes", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27810, + "message": "Initializing plugin spy_modes@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.description": "When using the state:storeInSessionStorage setting with the short-urls, we need some way to get the full URL's hashed states into sessionStorage, this app will grab the URL from the kbn-initial-state and and put the URL hashed states into sessionStorage before redirecting the user.", + "kibana.log.meta.plugin.name": "state_session_storage_redirect", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 27998, + "message": "Initializing plugin state_session_storage_redirect@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "status_page", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 28527, + "message": "Initializing plugin status_page@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "table_vis", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 28719, + "message": "Initializing plugin table_vis@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "tagcloud", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 28907, + "message": "Initializing plugin tagcloud@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.name": "tile_map", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 29093, + "message": "Initializing plugin tile_map@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.author": "Rashid Khan ", + "kibana.log.meta.plugin.name": "timelion", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 29279, + "message": "Initializing plugin timelion@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:timelion@6.3.0", + "info" + ], + "log.offset": 29508, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:graph@6.3.0", + "info" + ], + "log.offset": 32258, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:monitoring@6.3.0", + "info" + ], + "log.offset": 35032, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:security@6.3.0", + "info" + ], + "log.offset": 37787, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "security", + "warning" + ], + "log.offset": 38054, + "message": "Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "security", + "warning" + ], + "log.offset": 38326, + "message": "Session cookies will be transmitted over insecure connections. This is not recommended.", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:grokdebugger@6.3.0", + "info" + ], + "log.offset": 41031, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:dashboard_mode@6.3.0", + "info" + ], + "log.offset": 43816, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:logstash@6.3.0", + "info" + ], + "log.offset": 46575, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:apm@6.3.0", + "info" + ], + "log.offset": 49345, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.author": "Boaz Leskes ", + "kibana.log.meta.plugin.contributors": [ + "Spencer Alger " + ], + "kibana.log.meta.plugin.name": "console", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 52090, + "message": "Initializing plugin console@6.3.0", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:console@6.3.0", + "info" + ], + "log.offset": 52374, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:console_extensions@6.3.0", + "info" + ], + "log.offset": 55136, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.author": "Chris Cowan", + "kibana.log.meta.plugin.name": "metrics", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 55391, + "message": "Initializing plugin metrics@6.3.0", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:metrics@6.3.0", + "info" + ], + "log.offset": 55615, + "message": "Status changed from uninitialized to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.plugin.author": "Yuri Astrakhan", + "kibana.log.meta.plugin.name": "vega", + "kibana.log.meta.plugin.version": "kibana", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugins", + "debug" + ], + "log.offset": 55859, + "message": "Initializing plugin vega@kibana", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "debug", + "exportTypes" + ], + "log.offset": 58589, + "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/csv/server/index.js", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:01.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "debug", + "exportTypes" + ], + "log.offset": 58853, + "message": "Found exportType at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/node_modules/x-pack/plugins/reporting/export_types/printable_pdf/server/index.js", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "warning" + ], + "log.offset": 59127, + "message": "Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "debug" + ], + "log.offset": 59399, + "message": "Browser type: phantom", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "uninitialized", + "kibana.log.meta.prevState": "uninitialized", + "kibana.log.meta.type": "log", + "kibana.log.state": "yellow", + "kibana.log.tags": [ + "status", + "plugin:reporting@6.3.0", + "info" + ], + "log.offset": 59525, + "message": "Status changed from uninitialized to yellow - Waiting for Elasticsearch", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "debug" + ], + "log.offset": 59793, + "message": "Running on os \"darwin\", distribution \"undefined\", release \"undefined\"", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "debug" + ], + "log.offset": 59973, + "message": "Browser installed at /Users/ruflin/Downloads/6.3/kibana-6.3.0-darwin-x86_64/data/phantomjs-2.1.1-macosx/bin/phantomjs", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "worker", + "debug" + ], + "log.offset": 60195, + "message": "CSV: Registering CSV worker", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "esqueue", + "worker", + "debug" + ], + "log.offset": 60336, + "message": "jgyzr8b31hu86bfe3bf3pw9w - Created worker for job type csv", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "worker", + "debug" + ], + "log.offset": 60518, + "message": "PDF: Registering PDF worker", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "reporting", + "esqueue", + "worker", + "debug" + ], + "log.offset": 60659, + "message": "jgyzr8b81hu86bfe3bf6jd27 - Created worker for job type printable_pdf", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "server", + "uuid", + "uuid" + ], + "log.offset": 60851, + "message": "Resuming persistent Kibana instance UUID: a41ec841-89ba-4872-a15a-865858f9680e", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "listening", + "info" + ], + "log.offset": 61037, + "message": "Server running at http://localhost:5601", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 61180, + "message": "Checking Elasticsearch version", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:elasticsearch@6.3.0", + "info" + ], + "log.offset": 61312, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "debug", + "xpack" + ], + "log.offset": 61560, + "message": "Calling [data] Elasticsearch _xpack API. Polling frequency: 30001", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "info", + "xpack" + ], + "log.offset": 61736, + "message": "Imported license information from Elasticsearch for the [data] cluster: mode: basic | status: active | expiry date: Invalid date", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "monitoring-ui", + "es-client" + ], + "log.offset": 61974, + "message": "config sourced from: production cluster (http://localhost:9200)", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:xpack_main@6.3.0", + "info" + ], + "log.offset": 62150, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:searchprofiler@6.3.0", + "info" + ], + "log.offset": 62395, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:ml@6.3.0", + "info" + ], + "log.offset": 62644, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:tilemap@6.3.0", + "info" + ], + "log.offset": 62881, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:watcher@6.3.0", + "info" + ], + "log.offset": 63123, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:graph@6.3.0", + "info" + ], + "log.offset": 63365, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:security@6.3.0", + "info" + ], + "log.offset": 63605, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:grokdebugger@6.3.0", + "info" + ], + "log.offset": 63848, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:logstash@6.3.0", + "info" + ], + "log.offset": 64095, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.prevMsg": "Waiting for Elasticsearch", + "kibana.log.meta.prevState": "yellow", + "kibana.log.meta.type": "log", + "kibana.log.state": "green", + "kibana.log.tags": [ + "status", + "plugin:reporting@6.3.0", + "info" + ], + "log.offset": 64338, + "message": "Status changed from yellow to green - Ready", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "debug", + "xpack" + ], + "log.offset": 64582, + "message": "Calling [monitoring] Elasticsearch _xpack API. Polling frequency: 30001", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "info", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 64764, + "message": "Starting all Kibana monitoring collectors", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 64933, + "message": "Initializing kibana_stats collector", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 65097, + "message": "Setting logger for kibana_stats collector", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 65267, + "message": "Setting logger for kibana_settings collector", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 65440, + "message": "Fetching data from kibana_stats collector", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 65610, + "message": "Uploading bulk Kibana monitoring payload", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "license", + "info", + "xpack" + ], + "log.offset": 65779, + "message": "Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active | expiry date: Invalid date", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:04.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.load.concurrents.5601": 0, + "kibana.log.meta.load.sockets.http.169.254.169.254:80:": 1, + "kibana.log.meta.load.sockets.http.total": 1, + "kibana.log.meta.load.sockets.https.total": 0, + "kibana.log.meta.os.load": [ + 4.85498046875, + 5.1650390625, + 4.42041015625 + ], + "kibana.log.meta.os.mem.free": 60276736, + "kibana.log.meta.os.mem.total": 17179869184, + "kibana.log.meta.os.uptime": 622897, + "kibana.log.meta.proc.delay": 0.5321840047836304, + "kibana.log.meta.proc.mem.external": 1608020, + "kibana.log.meta.proc.mem.heapTotal": 218456064, + "kibana.log.meta.proc.mem.heapUsed": 141104080, + "kibana.log.meta.proc.mem.rss": 249733120, + "kibana.log.meta.proc.uptime": 27.791, + "kibana.log.meta.type": "ops", + "kibana.log.tags": [], + "log.offset": 66023, + "message": "memory: 134.6MB uptime: 0:00:28 load: [4.85 5.17 4.42] delay: 0.532", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:04.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "debug", + "monitoring-ui", + "kibana-monitoring" + ], + "log.offset": 66573, + "message": "Received Kibana Ops event data", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + }, + { + "@timestamp": "2018-05-09T10:59:04.000Z", + "ecs.version": "1.0.0", + "event.dataset": "kibana.log", + "event.module": "kibana", + "fileset.name": "log", + "input.type": "log", + "kibana.log.meta.type": "log", + "kibana.log.tags": [ + "plugin", + "debug" + ], + "log.offset": 66732, + "message": "Checking Elasticsearch version", + "process.pid": 69776, + "service.name": [ + "kibana" + ], + "service.type": "kibana" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/error/test/mysql-darwin-brew-5.7.10.log-expected.json b/filebeat/module/mysql/error/test/mysql-darwin-brew-5.7.10.log-expected.json new file mode 100644 index 00000000000..c192d4f0ed1 --- /dev/null +++ b/filebeat/module/mysql/error/test/mysql-darwin-brew-5.7.10.log-expected.json @@ -0,0 +1,1297 @@ +[ + { + "@timestamp": "2016-12-09T13:08:33.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 0, + "message": "mysqld_safe Starting mysqld daemon with databases from /usr/local/var/mysql", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.335Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 92, + "message": "TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.335Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 282, + "message": "Insecure configuration for --secure-file-priv: Current value does not restrict location of generated files. Consider setting it to a valid, non-empty path.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.336Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 478, + "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld (mysqld 5.7.10) starting as process 61571 ...", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.345Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 603, + "message": "Setting lower_case_table_names=2 because file system for /usr/local/var/mysql/ is case insensitive", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.351Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 742, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.351Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 832, + "message": "InnoDB: Uses event mutexes", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.351Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 896, + "message": "InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.351Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1004, + "message": "InnoDB: Compressed tables use zlib 1.2.3", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.352Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1082, + "message": "InnoDB: Number of pools: 1", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.354Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1146, + "message": "InnoDB: Using CPU crc32 instructions", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.366Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1220, + "message": "InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.379Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1343, + "message": "InnoDB: Completed initialization of buffer pool", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.401Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1428, + "message": "InnoDB: Highest supported file format is Barracuda.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.402Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1517, + "message": "InnoDB: Log scan progressed past the checkpoint lsn 2498863", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.402Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1614, + "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498872", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.402Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1717, + "message": "InnoDB: Doing recovery: scanned up to log sequence number 2498872", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.402Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1820, + "message": "InnoDB: Database was not shutdown normally!", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.402Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1901, + "message": "InnoDB: Starting crash recovery.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.549Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1971, + "message": "InnoDB: Removed temporary tablespace data file: \"ibtmp1\"", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.549Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2065, + "message": "InnoDB: Creating shared tablespace for temporary tables", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.549Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2158, + "message": "InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.585Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2292, + "message": "InnoDB: File './ibtmp1' size is now 12 MB.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.588Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2372, + "message": "InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.588Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2492, + "message": "InnoDB: 32 non-redo rollback segment(s) are active.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.588Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2581, + "message": "InnoDB: Waiting for purge to start", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.641Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2653, + "message": "InnoDB: 5.7.10 started; log sequence number 2498872", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.642Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2742, + "message": "InnoDB: Loading buffer pool(s) from /usr/local/var/mysql/ib_buffer_pool", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.642Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2851, + "message": "InnoDB: not started", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.643Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2908, + "message": "Plugin 'FEDERATED' is disabled.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.652Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2977, + "message": "InnoDB: Buffer pool(s) load completed at 161209 13:08:33", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.662Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3071, + "message": "Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.662Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3217, + "message": "Skipping generation of SSL certificates as certificate files are present in data directory.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.665Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 3346, + "message": "CA certificate ca.pem is self signed.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.665Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3424, + "message": "Skipping generation of RSA key pair as key files are present in data directory.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.698Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3541, + "message": "Server hostname (bind-address): '*'; port: 3306", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.699Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3626, + "message": "IPv6 is available.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.699Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3682, + "message": " - '::' resolves to '::';", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.699Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3746, + "message": "Server socket created on IP: '::'.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.784Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3818, + "message": "Event Scheduler: Loaded 0 events", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T12:08:33.784Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3888, + "message": "/usr/local/Cellar/mysql/5.7.10/bin/mysqld: ready for connections.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3991, + "message": "Version: '5.7.10' socket: '/tmp/mysql.sock' port: 3306 Homebrew", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T22:21:02.443Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4058, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 772568ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T22:36:49.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4232, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 898642ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T23:37:34.021Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4406, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T00:17:54.198Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4581, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 2371678ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T01:18:38.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4756, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597590ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T01:39:00.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4931, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1173583ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T02:39:45.021Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5106, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597610ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T02:49:08.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5281, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515469ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T03:24:15.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5455, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 2059611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T04:25:00.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5630, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T04:34:24.021Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5805, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515589ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T04:39:18.022Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5979, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 246613ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T05:40:03.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6153, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T06:40:48.025Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6328, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595608ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T06:45:55.018Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6503, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 258594ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T07:46:40.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6677, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598632ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T07:56:04.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6852, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T08:56:49.390Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7026, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T09:06:11.019Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7201, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515633ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T10:06:56.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7375, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597617ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T10:16:18.022Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7550, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 514638ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T11:17:02.165Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7724, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T11:30:44.018Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 7899, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 773594ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T12:03:24.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8073, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1912617ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T12:06:40.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8248, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 150375ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T12:24:37.025Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8422, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1030636ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T13:25:22.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8597, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3596603ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T13:39:05.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8772, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 774598ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T14:39:50.178Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 8946, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597787ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T14:49:14.023Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9121, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515462ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T15:49:59.022Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9295, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3597628ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T15:59:23.014Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9470, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515609ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T17:00:08.019Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9644, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T17:09:30.026Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9819, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515633ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T17:48:20.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 9993, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 2282610ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T18:00:05.183Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 10168, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515227ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T18:54:13.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 10342, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3200608ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T20:13:03.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 10517, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3089523ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T20:50:11.201Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 10692, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 2180623ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T20:53:54.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 10867, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 176629ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T21:03:18.023Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11041, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 516622ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T22:04:03.021Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11215, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598602ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T22:13:57.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11390, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 545611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T22:49:59.020Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11564, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 2114631ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-10T23:12:12.023Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11739, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1287614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T00:12:57.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 11914, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595581ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T00:26:41.053Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12089, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 773622ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T00:47:44.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12263, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1215572ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T00:49:50.017Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12438, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 79642ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T01:20:40.031Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12611, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 1803651ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T02:21:24.021Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12786, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3595607ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T02:26:30.015Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 12961, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 257596ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T03:18:55.018Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 13135, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3097591ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T04:15:14.022Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 13310, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3331614ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T04:20:52.016Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 13485, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 289611ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T04:25:56.035Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 13659, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 257653ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T05:26:41.020Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 13833, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 3598198ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-11T05:36:05.024Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 14008, + "message": "InnoDB: page_cleaner: 1000ms intended loop took 515624ms. The settings might not be optimal. (flushed=0 and evicted=0, during the time.)", + "mysql.thread_id": 0, + "service.type": "mysql" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json new file mode 100644 index 00000000000..6bb6acde44e --- /dev/null +++ b/filebeat/module/mysql/error/test/mysql-ubuntu-5.5.53.log-expected.json @@ -0,0 +1,1107 @@ +[ + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 0, + "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 191, + "message": "Plugin 'FEDERATED' is disabled.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 246, + "message": "InnoDB: The InnoDB memory heap is disabled", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 305, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 374, + "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 433, + "message": "InnoDB: Initializing buffer pool, size = 128.0M", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 497, + "message": "InnoDB: Completed initialization of buffer pool", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 561, + "message": "InnoDB: The first specified data file ./ibdata1 did not exist:", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 624, + "message": "InnoDB: a new database to be created!", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 662, + "message": " InnoDB: Setting file ./ibdata1 size to 10 MB", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 724, + "message": "InnoDB: Database physically writes the file full: wait...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 782, + "message": " InnoDB: Log file ./ib_logfile0 did not exist: new to be created", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 863, + "message": "InnoDB: Setting log file ./ib_logfile0 size to 5 MB", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 915, + "message": "InnoDB: Database physically writes the file full: wait...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 973, + "message": " InnoDB: Log file ./ib_logfile1 did not exist: new to be created", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1054, + "message": "InnoDB: Setting log file ./ib_logfile1 size to 5 MB", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1106, + "message": "InnoDB: Database physically writes the file full: wait...", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1164, + "message": "InnoDB: Doublewrite buffer not found: creating new", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1215, + "message": "InnoDB: Doublewrite buffer created", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1250, + "message": "InnoDB: 127 rollback segment(s) active.", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1290, + "message": "InnoDB: Creating foreign key constraint system tables", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1344, + "message": "InnoDB: Foreign key constraint system tables created", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1397, + "message": " InnoDB: Waiting for the background threads to start", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1466, + "message": "InnoDB: 5.5.53 started; log sequence number 0", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1528, + "message": " InnoDB: Starting shutdown...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1574, + "message": " InnoDB: Shutdown completed; log sequence number 1595675", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 1647, + "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 1838, + "message": "Plugin 'FEDERATED' is disabled.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1893, + "message": "InnoDB: The InnoDB memory heap is disabled", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 1952, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2021, + "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2080, + "message": "InnoDB: Initializing buffer pool, size = 128.0M", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2144, + "message": "InnoDB: Completed initialization of buffer pool", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2208, + "message": "InnoDB: highest supported file format is Barracuda.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:52.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2276, + "message": " InnoDB: Waiting for the background threads to start", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2345, + "message": "InnoDB: 5.5.53 started; log sequence number 1595675", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2413, + "message": "ERROR: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ALTER TABLE user ADD column Show_view_priv enum('N','Y') CHARACTER SET utf8 NOT ' at line 1", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 2653, + "message": "Aborting", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2687, + "message": " InnoDB: Starting shutdown...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 2733, + "message": " InnoDB: Shutdown completed; log sequence number 1595675", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 2806, + "message": "/usr/sbin/mysqld: Shutdown complete", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 2866, + "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3057, + "message": "Plugin 'FEDERATED' is disabled.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3112, + "message": "InnoDB: The InnoDB memory heap is disabled", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3171, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3240, + "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3299, + "message": "InnoDB: Initializing buffer pool, size = 128.0M", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3363, + "message": "InnoDB: Completed initialization of buffer pool", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3427, + "message": "InnoDB: highest supported file format is Barracuda.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:53.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3495, + "message": " InnoDB: Waiting for the background threads to start", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:54.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3564, + "message": "InnoDB: 5.5.53 started; log sequence number 1595675", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:54.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3632, + "message": " InnoDB: Starting shutdown...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 3678, + "message": "Aborting", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3712, + "message": " InnoDB: Starting shutdown...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 3758, + "message": " InnoDB: Shutdown completed; log sequence number 1595675", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 3831, + "message": "/usr/sbin/mysqld: Shutdown complete", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 3891, + "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4082, + "message": "Plugin 'FEDERATED' is disabled.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4137, + "message": "InnoDB: The InnoDB memory heap is disabled", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4196, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4265, + "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4324, + "message": "InnoDB: Initializing buffer pool, size = 128.0M", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4388, + "message": "InnoDB: Completed initialization of buffer pool", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4452, + "message": "InnoDB: highest supported file format is Barracuda.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4520, + "message": " InnoDB: Waiting for the background threads to start", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4589, + "message": "InnoDB: 5.5.53 started; log sequence number 1595675", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4657, + "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4736, + "message": " - '127.0.0.1' resolves to '127.0.0.1';", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4800, + "message": "Server socket created on IP: '127.0.0.1'.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4865, + "message": "Event Scheduler: Loaded 0 events", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:18:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 4921, + "message": "/usr/sbin/mysqld: ready for connections.", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 4985, + "message": "Version: '5.5.53-0ubuntu0.12.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5081, + "message": "/usr/sbin/mysqld: Normal shutdown", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5139, + "message": "Event Scheduler: Purging the queue. 0 events", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5207, + "message": " InnoDB: Starting shutdown...", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5253, + "message": " InnoDB: Shutdown completed; log sequence number 1595685", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5326, + "message": "/usr/sbin/mysqld: Shutdown complete", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 5386, + "message": "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 5577, + "message": "Plugin 'FEDERATED' is disabled.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5632, + "message": "InnoDB: The InnoDB memory heap is disabled", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5691, + "message": "InnoDB: Mutexes and rw_locks use GCC atomic builtins", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5760, + "message": "InnoDB: Compressed tables use zlib 1.2.3.4", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5819, + "message": "InnoDB: Initializing buffer pool, size = 128.0M", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5883, + "message": "InnoDB: Completed initialization of buffer pool", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 5947, + "message": "InnoDB: highest supported file format is Barracuda.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:57.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6015, + "message": " InnoDB: Waiting for the background threads to start", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6084, + "message": "InnoDB: 5.5.53 started; log sequence number 1595685", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6152, + "message": "Server hostname (bind-address): '127.0.0.1'; port: 3306", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6231, + "message": " - '127.0.0.1' resolves to '127.0.0.1';", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6295, + "message": "Server socket created on IP: '127.0.0.1'.", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6360, + "message": "Event Scheduler: Loaded 0 events", + "service.type": "mysql" + }, + { + "@timestamp": "2016-12-09T14:37:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Note", + "log.offset": 6416, + "message": "/usr/sbin/mysqld: ready for connections.", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6480, + "message": "Version: '5.5.53-0ubuntu0.12.04.1-log' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6580, + "message": "vagrant@precise32:~$ cat /var/log/mysql.log | grep phisically", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6642, + "message": "vagrant@precise32:~$ cat /var/log/mysql.log | grep physi", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6699, + "message": "vagrant@precise32:~$ cat /var/log/mysql.log | physically", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6756, + "message": "physically: command not found", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6786, + "message": "vagrant@precise32:~$ cat /var/log/mysql.log | grep physically", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6848, + "message": "vagrant@precise32:~$ less /var/log/mysql.", + "service.type": "mysql" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.offset": 6890, + "message": "mysql.err mysql.log", + "service.type": "mysql" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/error/test/mysql-ubuntu-8.0.15.log-expected.json b/filebeat/module/mysql/error/test/mysql-ubuntu-8.0.15.log-expected.json new file mode 100644 index 00000000000..863d76ee7ba --- /dev/null +++ b/filebeat/module/mysql/error/test/mysql-ubuntu-8.0.15.log-expected.json @@ -0,0 +1,158 @@ +[ + { + "@timestamp": "2019-03-24T13:44:25.484Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 0, + "message": "[MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server in progress as process 1640", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:27.924Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 144, + "message": "[MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.", + "mysql.thread_id": 5, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:29.065Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 320, + "message": "[MY-013170] [Server] /usr/sbin/mysqld (mysqld 8.0.15) initializing of server has completed", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:31.085Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 450, + "message": "[MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1688", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:31.533Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 568, + "message": "[MY-010068] [Server] CA certificate ca.pem is self signed.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:31.534Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 667, + "message": "[MY-011810] [Server] Insecure configuration for --pid-file: Location '/tmp' in the path is accessible to all OS users. Consider choosing a different directory.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:31.555Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 867, + "message": "[MY-013172] [Server] Received SHUTDOWN from user boot. Shutting down mysqld (Version: 8.0.15).", + "mysql.thread_id": 6, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:33.236Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 1001, + "message": "[MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:34.072Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 1144, + "message": "[MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1834", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:34.406Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "Warning", + "log.offset": 1262, + "message": "[MY-010068] [Server] CA certificate ca.pem is self signed.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:34.420Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 1361, + "message": "[MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.", + "mysql.thread_id": 0, + "service.type": "mysql" + }, + { + "@timestamp": "2019-03-24T13:44:34.572Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.error", + "event.module": "mysql", + "fileset.name": "error", + "input.type": "log", + "log.level": "System", + "log.offset": 1562, + "message": "[MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 33060", + "mysql.thread_id": 0, + "service.type": "mysql" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/mariadb-10.3.13.log-expected.json b/filebeat/module/mysql/slowlog/test/mariadb-10.3.13.log-expected.json new file mode 100644 index 00000000000..d5d0b7a5f17 --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/mariadb-10.3.13.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2019-03-24T16:03:00.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 2461578000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 230, + "mysql.slowlog.bytes_sent": 319, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.filesort": true, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": true, + "mysql.slowlog.lock_time.sec": 0.000196, + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.priority_queue": true, + "mysql.slowlog.query": "SELECT last_name, MAX(salary) AS salary FROM employees\n INNER JOIN salaries ON employees.emp_no = salaries.emp_no\n GROUP BY last_name\n ORDER BY salary DESC\n LIMIT 10;", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 3145718, + "mysql.slowlog.rows_sent": 10, + "mysql.slowlog.schema": "employees", + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": true, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 4026528, + "mysql.slowlog.tmp_tables": 1, + "mysql.thread_id": "37", + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "root" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/mysql-darwin-brew-5.7.10.log-expected.json b/filebeat/module/mysql/slowlog/test/mysql-darwin-brew-5.7.10.log-expected.json new file mode 100644 index 00000000000..11803d569a3 --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/mysql-darwin-brew-5.7.10.log-expected.json @@ -0,0 +1,24 @@ +[ + { + "@timestamp": "2016-12-12T11:54:16.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 11004467000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 210, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.lock_time.sec": 0.0, + "mysql.slowlog.query": "select sleep(11);", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 1, + "mysql.thread_id": 2, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "root" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.17.log-expected.json b/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.17.log-expected.json new file mode 100644 index 00000000000..c0fa2b8c14a --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.17.log-expected.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2017-04-28T09:07:39.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 4071491000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "mysql.slowlog.current_user": "apphost", + "mysql.slowlog.lock_time.sec": 0.000212, + "mysql.slowlog.query": "SELECT mcu.mcu_guid, mcu.cus_guid, mcu.mcu_url, mcu.mcu_crawlelements, mcu.mcu_order, GROUP_CONCAT(mca.mca_guid SEPARATOR \";\") as mca_guid\n FROM kat_mailcustomerurl mcu, kat_customer cus, kat_mailcampaign mca\n WHERE cus.cus_guid = mcu.cus_guid\n AND cus.pro_code = 'CYB'\n AND cus.cus_offline = 0\n AND mca.cus_guid = cus.cus_guid\n AND (mcu.mcu_date IS NULL OR mcu.mcu_date < CURDATE())\n AND mcu.mcu_crawlelements IS NOT NULL\n GROUP BY mcu.mcu_guid\n ORDER BY mcu.mcu_order ASC\n LIMIT 1000;", + "mysql.slowlog.rows_examined": 1489615, + "mysql.slowlog.rows_sent": 1000, + "mysql.thread_id": 10997316, + "service.type": "mysql", + "source.domain": "apphost", + "source.ip": "1.1.1.1", + "user.name": "apphost" + }, + { + "@timestamp": "2017-04-28T09:16:30.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 10346539000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 907, + "mysql.slowlog.current_user": "apphost", + "mysql.slowlog.lock_time.sec": 3.6e-05, + "mysql.slowlog.query": "call load_stats(1, '2017-04-28 00:00:00');", + "mysql.slowlog.rows_examined": 4751313, + "mysql.slowlog.rows_sent": 0, + "mysql.thread_id": 10999834, + "service.type": "mysql", + "source.domain": "apphost", + "source.ip": "1.1.1.1", + "user.name": "apphost" + }, + { + "@timestamp": "2017-04-28T09:31:31.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 10508030000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1158, + "mysql.slowlog.current_user": "apphost", + "mysql.slowlog.lock_time.sec": 3.4e-05, + "mysql.slowlog.query": "call load_stats(1, '2017-04-28 00:00:00');", + "mysql.slowlog.rows_examined": 4754675, + "mysql.slowlog.rows_sent": 0, + "mysql.thread_id": 11004208, + "service.type": "mysql", + "source.domain": "apphost", + "source.ip": "1.1.1.1", + "user.name": "apphost" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.19.log-expected.json b/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.19.log-expected.json new file mode 100644 index 00000000000..26f3d5ca280 --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/mysql-debian-5.7.19.log-expected.json @@ -0,0 +1,24 @@ +[ + { + "@timestamp": "2018-04-26T18:50:32.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 100000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.lock_time.sec": 3.3e-05, + "mysql.slowlog.query": "SELECT intcol1,charcol1 FROM t1;", + "mysql.slowlog.rows_examined": 101, + "mysql.slowlog.rows_sent": 101, + "mysql.thread_id": 5, + "service.type": "mysql", + "source.ip": "172.17.0.11", + "user.name": "root" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/mysql-ubuntu-5.5.53.log-expected.json b/filebeat/module/mysql/slowlog/test/mysql-ubuntu-5.5.53.log-expected.json new file mode 100644 index 00000000000..68a03e15082 --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/mysql-ubuntu-5.5.53.log-expected.json @@ -0,0 +1,297 @@ +[ + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 153000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 206, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 6.1e-05, + "mysql.slowlog.query": "SELECT count(*) FROM mysql.user WHERE user='root' and password='';", + "mysql.slowlog.rows_examined": 5, + "mysql.slowlog.rows_sent": 1, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 2456000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 437, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 9.5e-05, + "mysql.slowlog.query": "select concat('select count(*) into @discard from `',\n TABLE_SCHEMA, '`.`', TABLE_NAME, '`')\n from information_schema.TABLES where ENGINE='MyISAM';", + "mysql.slowlog.rows_examined": 81, + "mysql.slowlog.rows_sent": 31, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 6278000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 775, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000153, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`COLUMNS`;", + "mysql.slowlog.rows_examined": 808, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 262000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1008, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000204, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`EVENTS`;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 323000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1238, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000241, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`PARAMETERS`;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 7084000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1472, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000148, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`PARTITIONS`;", + "mysql.slowlog.rows_examined": 81, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 277000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1707, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000135, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`PLUGINS`;", + "mysql.slowlog.rows_examined": 23, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 254000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1939, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000159, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`PROCESSLIST`;", + "mysql.slowlog.rows_examined": 1, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 297000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2174, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000229, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`ROUTINES`;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 1676000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2406, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.000156, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`TRIGGERS`;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:37:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 8782000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2638, + "mysql.slowlog.current_user": "debian-sys-maint", + "mysql.slowlog.lock_time.sec": 0.001187, + "mysql.slowlog.query": "select count(*) into @discard from `information_schema`.`VIEWS`;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "debian-sys-maint" + }, + { + "@timestamp": "2016-12-09T14:39:02.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 2000268000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2891, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.lock_time.sec": 0.0, + "mysql.slowlog.query": "select sleep(2);", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 1, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "root" + }, + { + "@timestamp": "2016-12-09T14:39:23.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 138000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3072, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.lock_time.sec": 5.6e-05, + "mysql.slowlog.query": "select * from general_log;", + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "mysql.slowlog.schema": "mysql", + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "root" + }, + { + "@timestamp": "2016-12-09T14:39:40.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 159000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3274, + "mysql.slowlog.current_user": "root", + "mysql.slowlog.lock_time.sec": 5.9e-05, + "mysql.slowlog.query": "select * from user;", + "mysql.slowlog.rows_examined": 5, + "mysql.slowlog.rows_sent": 5, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "root" + } +] \ No newline at end of file diff --git a/filebeat/module/mysql/slowlog/test/percona-ubuntu-5.7.19.log-expected.json b/filebeat/module/mysql/slowlog/test/percona-ubuntu-5.7.19.log-expected.json new file mode 100644 index 00000000000..6eec9eb8270 --- /dev/null +++ b/filebeat/module/mysql/slowlog/test/percona-ubuntu-5.7.19.log-expected.json @@ -0,0 +1,338 @@ +[ + { + "@timestamp": "2018-11-16T06:25:56.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 10569000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 36, + "mysql.slowlog.bytes_sent": 180, + "mysql.slowlog.current_user": "check", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": true, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 0, + "mysql.slowlog.lock_time.sec": 6.7e-05, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "SHOW GLOBAL STATUS LIKE 'wsrep_local_state';", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 928, + "mysql.slowlog.rows_sent": 1, + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": true, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 1, + "mysql.thread_id": 1098148226, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "check" + }, + { + "@timestamp": "2018-11-16T13:02:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 36112000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 645, + "mysql.slowlog.bytes_sent": 529, + "mysql.slowlog.current_user": "select", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": false, + "mysql.slowlog.innodb.io_r_bytes": 0, + "mysql.slowlog.innodb.io_r_ops": 0, + "mysql.slowlog.innodb.io_r_wait.sec": 0.0, + "mysql.slowlog.innodb.pages_distinct": 3, + "mysql.slowlog.innodb.queue_wait.sec": 0.0, + "mysql.slowlog.innodb.rec_lock_wait.sec": 0.0, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 0, + "mysql.slowlog.lock_time.sec": 0.000165, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "select config.id as id, config.active as active from config where config.id='123456';", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 1, + "mysql.slowlog.rows_sent": 1, + "mysql.slowlog.schema": "database", + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": false, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 0, + "mysql.thread_id": 1101779094, + "service.type": "mysql", + "source.ip": "192.168.123.123", + "user.name": "select" + }, + { + "@timestamp": "2019-01-21T06:33:10.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 23385000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1425, + "mysql.slowlog.bytes_sent": 20195, + "mysql.slowlog.current_user": "exporter", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": true, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 0, + "mysql.slowlog.lock_time.sec": 3.9e-05, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "SELECT EVENT_NAME, COUNT_STAR, SUM_TIMER_WAIT\n FROM performance_schema.events_waits_summary_global_by_event_name;", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 390, + "mysql.slowlog.rows_sent": 390, + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": false, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 0, + "mysql.thread_id": 14366748, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "exporter" + }, + { + "@timestamp": "2019-01-21T06:34:30.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 10278000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2119, + "mysql.slowlog.bytes_sent": 11, + "mysql.slowlog.current_user": "test", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": false, + "mysql.slowlog.innodb.trx_id": "69B884E82", + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 0, + "mysql.slowlog.lock_time.sec": 0.0, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "commit;", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 0, + "mysql.slowlog.rows_sent": 0, + "mysql.slowlog.schema": "test", + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": false, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 0, + "mysql.thread_id": 14349788, + "service.type": "mysql", + "source.ip": "192.168.123.123", + "user.name": "test" + }, + { + "@timestamp": "2019-01-21T06:35:33.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 14315000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2719, + "mysql.slowlog.bytes_sent": 7131, + "mysql.slowlog.current_user": "exporter", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": true, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 1370, + "mysql.slowlog.lock_time.sec": 9.5e-05, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "SELECT\n TABLE_SCHEMA,\n TABLE_NAME,\n TABLE_TYPE,\n ifnull(ENGINE, 'NONE') as ENGINE,\n ifnull(VERSION, '0') as VERSION,\n ifnull(ROW_FORMAT, 'NONE') as ROW_FORMAT,\n ifnull(TABLE_ROWS, '0') as TABLE_ROWS,\n ifnull(DATA_LENGTH, '0') as DATA_LENGTH,\n ifnull(INDEX_LENGTH, '0') as INDEX_LENGTH,\n ifnull(DATA_FREE, '0') as DATA_FREE,\n ifnull(CREATE_OPTIONS, 'NONE') as CREATE_OPTIONS\n FROM information_schema.tables\n WHERE TABLE_SCHEMA = 'sys';", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 101, + "mysql.slowlog.rows_sent": 101, + "mysql.slowlog.tmp_disk_tables": "24", + "mysql.slowlog.tmp_table": true, + "mysql.slowlog.tmp_table_on_disk": true, + "mysql.slowlog.tmp_table_sizes": 114688, + "mysql.slowlog.tmp_tables": 111, + "mysql.thread_id": 14367106, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "exporter" + }, + { + "@timestamp": "2019-01-21T06:36:03.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 50365000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3980, + "mysql.slowlog.bytes_sent": 1362, + "mysql.slowlog.current_user": "exporter", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": true, + "mysql.slowlog.full_scan": true, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 1370, + "mysql.slowlog.lock_time.sec": 0.010733, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "SELECT t.table_schema, t.table_name, column_name, `auto_increment`,\n pow(2, case data_type\n when 'tinyint' then 7\n when 'smallint' then 15\n when 'mediumint' then 23\n when 'int' then 31\n when 'bigint' then 63\n end+(column_type like '% unsigned'))-1 as max_int\n FROM information_schema.tables t\n JOIN information_schema.columns c\n ON BINARY t.table_schema = c.table_schema AND BINARY t.table_name = c.table_name\n WHERE c.extra = 'auto_increment' AND t.auto_increment IS NOT NULL;", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 3146, + "mysql.slowlog.rows_sent": 16, + "mysql.slowlog.tmp_disk_tables": "71", + "mysql.slowlog.tmp_table": true, + "mysql.slowlog.tmp_table_on_disk": true, + "mysql.slowlog.tmp_table_sizes": 606208, + "mysql.slowlog.tmp_tables": 376, + "mysql.thread_id": 14367293, + "service.type": "mysql", + "source.domain": "localhost", + "user.name": "exporter" + }, + { + "@timestamp": "2019-01-21T06:36:40.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 32463768000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5255, + "mysql.slowlog.bytes_sent": 43805, + "mysql.slowlog.current_user": "test", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": false, + "mysql.slowlog.innodb.io_r_bytes": 16384, + "mysql.slowlog.innodb.io_r_ops": 2, + "mysql.slowlog.innodb.io_r_wait.sec": 0.000213, + "mysql.slowlog.innodb.pages_distinct": 64832, + "mysql.slowlog.innodb.queue_wait.sec": 0.0, + "mysql.slowlog.innodb.rec_lock_wait.sec": 0.0, + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 0, + "mysql.slowlog.lock_time.sec": 8.4e-05, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "select test.id as id, test.modified as mo, test.product as pr from test where (test.state in ('NOT_RELEVANT')) and test.last<='2019-01-21 06:36:08.432' and test.modified<='2019-01-07 06:36:08.432' limit 100000;", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 0, + "mysql.slowlog.rows_examined": 267, + "mysql.slowlog.rows_sent": 267, + "mysql.slowlog.schema": "test", + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": false, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 0, + "mysql.thread_id": 14360213, + "service.type": "mysql", + "source.ip": "192.168.123.123", + "user.name": "test" + }, + { + "@timestamp": "2019-01-21T09:15:36.000Z", + "ecs.version": "1.0.0", + "event.dataset": "mysql.slowlog", + "event.duration": 153883488000, + "event.module": "mysql", + "fileset.name": "slowlog", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 6165, + "mysql.slowlog.bytes_sent": 62, + "mysql.slowlog.current_user": "test", + "mysql.slowlog.filesort": false, + "mysql.slowlog.filesort_on_disk": false, + "mysql.slowlog.full_join": false, + "mysql.slowlog.full_scan": false, + "mysql.slowlog.innodb.io_r_bytes": 79822848, + "mysql.slowlog.innodb.io_r_ops": 9744, + "mysql.slowlog.innodb.io_r_wait.sec": 0.883446, + "mysql.slowlog.innodb.pages_distinct": 64872, + "mysql.slowlog.innodb.queue_wait.sec": 0.0, + "mysql.slowlog.innodb.rec_lock_wait.sec": 0.003038, + "mysql.slowlog.innodb.trx_id": "69BB9C7F9", + "mysql.slowlog.killed": 0, + "mysql.slowlog.last_errno": 3170, + "mysql.slowlog.lock_time.sec": 0.024022, + "mysql.slowlog.log_slow_rate_limit": 100, + "mysql.slowlog.log_slow_rate_type": "query", + "mysql.slowlog.merge_passes": 0, + "mysql.slowlog.query": "UPDATE test SET test.state = 'NOT_RELEVANT', modified = now() WHERE test.id IN (26328833, 390, 149386, 152268, 160997, 165304, 168524, 184105, 193022, 194533, 194862, 196469, 196487, 246398, 256594, 260566, 261862, 262342, 263701, 264166, 264607, 267671, 274879, 276704, 280964, 284366, 289323, 289843, 290004, 298999, 301213, 303494, 307920, 311905, 316311, 318404, 330846, 340751, 341433, 357191, 369184, 376876, 378360, 378492, 379470, 382131, 384077, 388368, 396815, 396881, 398272, 398950, 399589, 401299, 408787, 411293, 419109, 425953, 427659, 433183, 437030, 438332, 438386, 447037, 454231, 455257, 455344, 456385, 460420, 460425, 461252, 462338, 462531, 462684, 463104, 463395, 471073, 480069, 480078, 482399, 485205, 487971, 497191, 500261, 501855, 517585, 519310, 519654, 522575, 538425, 543560, 562315, 573934, 583466, 583490, 583502, 597605, 600875, 601546, 603879, 604467, 604619, 757786, 797285, 799155, 802905, 806268, 806798, 811974, 819684, 822629, 826406, 837733, 840128, 840131, 840251, 840277, 840302, 842966, 844294, 844300, 847837, 852503, 854272, 854299, 862983, 881405, 881461, 881467, 881560, 881908, 882435, 882453, 882651, 882711, 882811, 888265, 888286, 914091, 916288, 916316, 917708, 918238, 918887, 919222, 926607, 976977, 977010, 977067, 977131, 977185, 988249, 988276, 988336, 988360, 988504, 990994);", + "mysql.slowlog.query_cache_hit": false, + "mysql.slowlog.rows_affected": 19198, + "mysql.slowlog.rows_examined": 120309968, + "mysql.slowlog.rows_sent": 0, + "mysql.slowlog.schema": "test", + "mysql.slowlog.tmp_disk_tables": "0", + "mysql.slowlog.tmp_table": false, + "mysql.slowlog.tmp_table_on_disk": false, + "mysql.slowlog.tmp_table_sizes": 0, + "mysql.slowlog.tmp_tables": 0, + "mysql.thread_id": 14370752, + "service.type": "mysql", + "source.ip": "192.168.123.123", + "user.name": "test" + } +] \ No newline at end of file diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json new file mode 100644 index 00000000000..ec3e9ba3cb0 --- /dev/null +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -0,0 +1,382 @@ +[ + { + "@timestamp": "2016-10-25T12:49:33.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 612, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-10-25T12:49:34.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "http://localhost:8080/", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 199, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/favicon.ico", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-10-25T12:50:44.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 430, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/adsasd", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T09:34:43.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 612, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 635, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T09:34:43.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "http://localhost:8080/", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 834, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/favicon.ico", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T09:43:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1065, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/test", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T09:43:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1268, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/test", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T09:43:23.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1471, + "nginx.access.remote_ip_list": [ + "77.179.66.156" + ], + "service.type": "nginx", + "source.address": "77.179.66.156", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "77.179.66.156", + "url.original": "/test1", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T10:04:37.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 571, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1675, + "nginx.access.remote_ip_list": [ + "127.0.0.1" + ], + "service.type": "nginx", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/test1", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.12.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12.0", + "user_agent.version": "54.0.2840" + }, + { + "@timestamp": "2016-12-07T10:04:58.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 0, + "http.response.status_code": 304, + "http.version": "1.1", + "input.type": "log", + "log.offset": 1875, + "nginx.access.remote_ip_list": [ + "127.0.0.1" + ], + "service.type": "nginx", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "49.0" + }, + { + "@timestamp": "2016-12-07T10:04:59.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 0, + "http.response.status_code": 304, + "http.version": "1.1", + "input.type": "log", + "log.offset": 2030, + "nginx.access.remote_ip_list": [ + "127.0.0.1" + ], + "service.type": "nginx", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "49.0" + }, + { + "@timestamp": "2016-12-07T10:05:07.000Z", + "ecs.version": "1.0.0", + "event.dataset": "nginx.access", + "event.module": "nginx", + "fileset.name": "access", + "http.request.method": "GET", + "http.request.referrer": "-", + "http.response.body.bytes": 169, + "http.response.status_code": 404, + "http.version": "1.1", + "input.type": "log", + "log.offset": 2185, + "nginx.access.remote_ip_list": [ + "127.0.0.1" + ], + "service.type": "nginx", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "url.original": "/taga", + "user.name": "-", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", + "user_agent.os.full": "Mac OS X 10.12", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.12", + "user_agent.version": "49.0" + } +] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json new file mode 100644 index 00000000000..e50b713a085 --- /dev/null +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -0,0 +1,1698 @@ +[ + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 0, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_55808.a_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 490, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423113", + "osquery.result.columns.name": "pack_ossec-rootkit_adore_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 981, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "37", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423092", + "osquery.result.columns.name": "pack_ossec-rootkit_adore_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1469, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "41", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423065", + "osquery.result.columns.name": "pack_ossec-rootkit_ajakit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1961, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_anonoiyng_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2456, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "43", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_apa_kit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2941, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423113", + "osquery.result.columns.name": "pack_ossec-rootkit_ark_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3430, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_bash_door", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3917, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_beastkit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4411, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "45", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423112", + "osquery.result.columns.name": "pack_ossec-rootkit_bmbl_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4901, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "41", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423065", + "osquery.result.columns.name": "pack_ossec-rootkit_bobkit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5393, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_cback_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5881, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_enye_sec_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6375, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423112", + "osquery.result.columns.name": "pack_ossec-rootkit_esrk_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6865, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "41", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423065", + "osquery.result.columns.name": "pack_ossec-rootkit_fu_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 7353, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "37", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423092", + "osquery.result.columns.name": "pack_ossec-rootkit_hidr00tkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 7841, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_illogic_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8334, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_kenga3_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8826, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_knark_installed", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 9319, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_ldp_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 9805, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423112", + "osquery.result.columns.name": "pack_ossec-rootkit_lion_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10292, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_loc_rookit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10780, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "41", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423065", + "osquery.result.columns.name": "pack_ossec-rootkit_lrk_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11269, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_madalin_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11762, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_maniac_rk", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12249, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "43", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_mithra`s_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12743, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_monkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 13227, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_monkit_found", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 13717, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_old_rootkits", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 14207, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_omega_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 14695, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_optickit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15181, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_override_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15675, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "37", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423092", + "osquery.result.columns.name": "pack_ossec-rootkit_phalanx_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16168, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_ramen_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16656, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423112", + "osquery.result.columns.name": "pack_ossec-rootkit_rh_sharpe", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17143, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "42", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423084", + "osquery.result.columns.name": "pack_ossec-rootkit_rk17", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17625, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_romanian_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18119, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_rsha", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18601, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423113", + "osquery.result.columns.name": "pack_ossec-rootkit_sadmind/iis_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19096, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_scalper_installed", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19591, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_shitc", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20074, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "38", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423094", + "osquery.result.columns.name": "pack_ossec-rootkit_shkit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20565, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_showtee", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21050, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_showtee_/_romanian_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21555, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423113", + "osquery.result.columns.name": "pack_ossec-rootkit_shv5_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22045, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_slapper_installed", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22540, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_solaris_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23030, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_suckit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23522, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "41", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423065", + "osquery.result.columns.name": "pack_ossec-rootkit_suspicious_file", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24015, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_t0rn_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24505, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_tc2_worm", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24991, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "43", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_telekit_trojan", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25483, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_tribe_bot", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25970, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_trk_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26459, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423051", + "osquery.result.columns.name": "pack_ossec-rootkit_tuxkit_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26951, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "40", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423075", + "osquery.result.columns.name": "pack_ossec-rootkit_volc_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27441, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "39", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423086", + "osquery.result.columns.name": "pack_ossec-rootkit_zarwt_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T14:51:55.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27932, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 14:51:55 2018 UTC", + "osquery.result.columns.average_memory": "0", + "osquery.result.columns.avg_system_time": "0", + "osquery.result.columns.avg_user_time": "0", + "osquery.result.columns.executions": "36", + "osquery.result.columns.interval": "60", + "osquery.result.columns.last_executed": "1515423081", + "osquery.result.columns.name": "pack_ossec-rootkit_zk_rootkit", + "osquery.result.columns.output_size": "0", + "osquery.result.columns.wall_time": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_osquery-monitoring_schedule", + "osquery.result.unix_time": "1515423115", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T17:06:29.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 28420, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 17:06:29 2018 UTC", + "osquery.result.columns.atime": "1515431166", + "osquery.result.columns.block_size": "4096", + "osquery.result.columns.btime": "0", + "osquery.result.columns.ctime": "1515431161", + "osquery.result.columns.device": "0", + "osquery.result.columns.directory": "/tmp/.font-unix", + "osquery.result.columns.filename": ".cinik", + "osquery.result.columns.gid": "0", + "osquery.result.columns.hard_links": "1", + "osquery.result.columns.inode": "256622", + "osquery.result.columns.mode": "0644", + "osquery.result.columns.mtime": "1515431161", + "osquery.result.columns.path": "/tmp/.font-unix/.cinik", + "osquery.result.columns.size": "0", + "osquery.result.columns.symlink": "1", + "osquery.result.columns.type": "regular", + "osquery.result.columns.uid": "0", + "osquery.result.counter": "90", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_ossec-rootkit_slapper_installed", + "osquery.result.unix_time": "1515431189", + "service.type": "osquery" + }, + { + "@timestamp": "2018-01-08T17:19:48.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29019, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Mon Jan 8 17:19:48 2018 UTC", + "osquery.result.columns.atime": "1515431943", + "osquery.result.columns.block_size": "4096", + "osquery.result.columns.btime": "0", + "osquery.result.columns.ctime": "1515431943", + "osquery.result.columns.device": "0", + "osquery.result.columns.directory": "/usr/bin", + "osquery.result.columns.filename": "adore", + "osquery.result.columns.gid": "0", + "osquery.result.columns.hard_links": "1", + "osquery.result.columns.inode": "1919", + "osquery.result.columns.mode": "0644", + "osquery.result.columns.mtime": "1515431943", + "osquery.result.columns.path": "/usr/bin/adore", + "osquery.result.columns.size": "0", + "osquery.result.columns.symlink": "1", + "osquery.result.columns.type": "regular", + "osquery.result.columns.uid": "0", + "osquery.result.counter": "95", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_ossec-rootkit_adore_worm", + "osquery.result.unix_time": "1515431988", + "service.type": "osquery" + } +] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json new file mode 100644 index 00000000000..2796f342a02 --- /dev/null +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -0,0 +1,2435 @@ +[ + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 0, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "org.python.python.app", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 333, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.ruby", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 659, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.a2p", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 984, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.javajdk16.cmd", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1319, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.php", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1644, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.nc", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1968, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "com.apple.ksh", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_explicit_auths", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2293, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "httpd", + "osquery.result.columns.service": "Personal Web Sharing", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2649, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "cupsd", + "osquery.result.columns.service": "Printer Sharing", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3000, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "AEServer", + "osquery.result.columns.service": "Remote Apple Events", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3358, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "ftpd", + "osquery.result.columns.service": "FTP Access", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3703, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "AppleFileServer", + "osquery.result.columns.service": "Personal File Sharing", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4070, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "sshd-keygen-wrapper", + "osquery.result.columns.service": "Remote Login - SSH", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4438, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "smbd", + "osquery.result.columns.service": "Samba Sharing", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4786, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "AppleVNCServer", + "osquery.result.columns.service": "Apple Remote Desktop", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:50.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5151, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:50 2017 UTC", + "osquery.result.columns.process": "ODSAgent", + "osquery.result.columns.service": "ODSAgent", + "osquery.result.columns.state": "0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_alf_services", + "osquery.result.unix_time": "1514471990", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5498, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "LastPass", + "osquery.result.columns.description": "Last Password you will ever need", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "support@lastpass.com", + "osquery.result.columns.location": "app-profile", + "osquery.result.columns.name": "LastPass: Free Password Manager", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380", + "osquery.result.columns.type": "webextension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "4.2.3.20", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6464, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Sets value(s) in the update url based on custom checks.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "aushelper@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Application Update Service Helper", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "2.0", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 7269, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Staged rollout of Firefox multi-process feature.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "e10srollout@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Multi-process staged rollout", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "3.05", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8065, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "When you find something you want to view later, put it in Pocket.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "firefox@getpocket.com", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Pocket", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "1.0.5", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8855, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "null", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "followonsearch@mozilla.com", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Follow-on Search Telemetry", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "0.9.6", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 9609, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "null", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "screenshots@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Firefox Screenshots", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "19.2.0", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10354, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Client to download and run recipes for SHIELD, Heartbeat, etc.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "shield-recipe-client@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Shield Recipe Client", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "76.1", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11165, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Urgent post-release fixes for web compatibility.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "webcompat@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Web Compat", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "1.1", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11940, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "A rich visual history feed and a reimagined home page make it easier than ever to find exactly what you're looking for in Firefox.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "activity-stream@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Activity Stream", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "2017.11.07.1100-7f4e3634", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12829, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Autofill forms with saved profiles", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "formautofill@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Form Autofill", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "1.0", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 13596, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "Photon onboarding", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "onboarding@mozilla.org", + "osquery.result.columns.location": "app-system-defaults", + "osquery.result.columns.name": "Photon onboarding", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "1.0", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 14348, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "Mozilla", + "osquery.result.columns.description": "The default theme.", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "{972ce4c6-7e08-4474-a285-3208198ce6fd}", + "osquery.result.columns.location": "app-global", + "osquery.result.columns.name": "Default", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "null", + "osquery.result.columns.type": "theme", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "57.0.1", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15100, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.active": "1", + "osquery.result.columns.autoupdate": "1", + "osquery.result.columns.creator": "null", + "osquery.result.columns.description": "This disables NV12 surface format on Windows for AMD graphic adapters, see bug 1417442", + "osquery.result.columns.directory": "/Users/tsg", + "osquery.result.columns.disabled": "0", + "osquery.result.columns.gid": "20", + "osquery.result.columns.gid_signed": "20", + "osquery.result.columns.identifier": "disable-media-wmf-nv12@mozilla.org", + "osquery.result.columns.location": "app-system-addons", + "osquery.result.columns.name": "Disable Media WMF NV12 format", + "osquery.result.columns.native": "0", + "osquery.result.columns.path": "", + "osquery.result.columns.shell": "/bin/zsh", + "osquery.result.columns.source_url": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon", + "osquery.result.columns.type": "extension", + "osquery.result.columns.uid": "501", + "osquery.result.columns.uid_signed": "501", + "osquery.result.columns.username": "tsg", + "osquery.result.columns.uuid": "C4ED9367-E74A-4B3B-8E57-F97695D3919C", + "osquery.result.columns.version": "1.1", + "osquery.result.columns.visible": "1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_firefox_addons", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16011, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "ansible", + "osquery.result.columns.path": "/usr/local/Cellar/ansible/", + "osquery.result.columns.version": "2.3.2.0_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16389, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "asio", + "osquery.result.columns.path": "/usr/local/Cellar/asio/", + "osquery.result.columns.version": "1.10.8_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16760, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "augeas", + "osquery.result.columns.path": "/usr/local/Cellar/augeas/", + "osquery.result.columns.version": "1.9.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17132, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "awscli", + "osquery.result.columns.path": "/usr/local/Cellar/awscli/", + "osquery.result.columns.version": "1.11.138", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17507, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "boost", + "osquery.result.columns.path": "/usr/local/Cellar/boost/", + "osquery.result.columns.version": "1.65.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17878, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "elasticsearch", + "osquery.result.columns.path": "/usr/local/Cellar/elasticsearch/", + "osquery.result.columns.version": "6.1.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18264, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "filebeat", + "osquery.result.columns.path": "/usr/local/Cellar/filebeat/", + "osquery.result.columns.version": "6.0.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18640, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "fontconfig", + "osquery.result.columns.path": "/usr/local/Cellar/fontconfig/", + "osquery.result.columns.version": "2.12.6", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19021, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "freetype", + "osquery.result.columns.path": "/usr/local/Cellar/freetype/", + "osquery.result.columns.version": "2.8.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19397, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "gd", + "osquery.result.columns.path": "/usr/local/Cellar/gd/", + "osquery.result.columns.version": "2.2.5", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19761, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "gdbm", + "osquery.result.columns.path": "/usr/local/Cellar/gdbm/", + "osquery.result.columns.version": "1.13", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20128, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "gettext", + "osquery.result.columns.path": "/usr/local/Cellar/gettext/", + "osquery.result.columns.version": "0.19.8.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20505, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "gflags", + "osquery.result.columns.path": "/usr/local/Cellar/gflags/", + "osquery.result.columns.version": "2.2.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20877, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "git-crypt", + "osquery.result.columns.path": "/usr/local/Cellar/git-crypt/", + "osquery.result.columns.version": "0.5.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21255, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "glog", + "osquery.result.columns.path": "/usr/local/Cellar/glog/", + "osquery.result.columns.version": "0.3.5_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21625, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "go", + "osquery.result.columns.path": "/usr/local/Cellar/go/", + "osquery.result.columns.version": "1.9.2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21989, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "go@1.8", + "osquery.result.columns.path": "/usr/local/Cellar/go@1.8/", + "osquery.result.columns.version": "1.8.3", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22361, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "gradle", + "osquery.result.columns.path": "/usr/local/Cellar/gradle/", + "osquery.result.columns.version": "4.3", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22731, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "graphviz", + "osquery.result.columns.path": "/usr/local/Cellar/graphviz/", + "osquery.result.columns.version": "2.40.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23108, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "heartbeat", + "osquery.result.columns.path": "/usr/local/Cellar/heartbeat/", + "osquery.result.columns.version": "6.1.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23486, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "heartbeat", + "osquery.result.columns.path": "/usr/local/Cellar/heartbeat/", + "osquery.result.columns.version": "6.1.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23864, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "icu4c", + "osquery.result.columns.path": "/usr/local/Cellar/icu4c/", + "osquery.result.columns.version": "59.1_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24235, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "jemalloc", + "osquery.result.columns.path": "/usr/local/Cellar/jemalloc/", + "osquery.result.columns.version": "5.0.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24611, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "jpeg", + "osquery.result.columns.path": "/usr/local/Cellar/jpeg/", + "osquery.result.columns.version": "9b", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24976, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "jq", + "osquery.result.columns.path": "/usr/local/Cellar/jq/", + "osquery.result.columns.version": "1.5_2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25340, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libarchive", + "osquery.result.columns.path": "/usr/local/Cellar/libarchive/", + "osquery.result.columns.version": "3.3.2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25720, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libevent", + "osquery.result.columns.path": "/usr/local/Cellar/libevent/", + "osquery.result.columns.version": "2.1.8", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26096, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libmagic", + "osquery.result.columns.path": "/usr/local/Cellar/libmagic/", + "osquery.result.columns.version": "5.32", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26471, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libpng", + "osquery.result.columns.path": "/usr/local/Cellar/libpng/", + "osquery.result.columns.version": "1.6.34", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26844, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "librdkafka", + "osquery.result.columns.path": "/usr/local/Cellar/librdkafka/", + "osquery.result.columns.version": "0.11.3", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27225, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libtermkey", + "osquery.result.columns.path": "/usr/local/Cellar/libtermkey/", + "osquery.result.columns.version": "0.20", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27604, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libtiff", + "osquery.result.columns.path": "/usr/local/Cellar/libtiff/", + "osquery.result.columns.version": "4.0.8_5", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27980, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libtool", + "osquery.result.columns.path": "/usr/local/Cellar/libtool/", + "osquery.result.columns.version": "2.4.6_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 28356, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libuv", + "osquery.result.columns.path": "/usr/local/Cellar/libuv/", + "osquery.result.columns.version": "1.14.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 28727, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libvterm", + "osquery.result.columns.path": "/usr/local/Cellar/libvterm/", + "osquery.result.columns.version": "681", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29101, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "libyaml", + "osquery.result.columns.path": "/usr/local/Cellar/libyaml/", + "osquery.result.columns.version": "0.1.7", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29475, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "lldpd", + "osquery.result.columns.path": "/usr/local/Cellar/lldpd/", + "osquery.result.columns.version": "0.9.9", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29845, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "lz4", + "osquery.result.columns.path": "/usr/local/Cellar/lz4/", + "osquery.result.columns.version": "1.8.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 30211, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "lzlib", + "osquery.result.columns.path": "/usr/local/Cellar/lzlib/", + "osquery.result.columns.version": "1.9", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 30579, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "metricbeat", + "osquery.result.columns.path": "/usr/local/Cellar/metricbeat/", + "osquery.result.columns.version": "6.1.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 30959, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "msgpack", + "osquery.result.columns.path": "/usr/local/Cellar/msgpack/", + "osquery.result.columns.version": "2.1.5", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 31333, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "neovim", + "osquery.result.columns.path": "/usr/local/Cellar/neovim/", + "osquery.result.columns.version": "0.2.0_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 31707, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "nginx", + "osquery.result.columns.path": "/usr/local/Cellar/nginx/", + "osquery.result.columns.version": "1.12.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 32078, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "node", + "osquery.result.columns.path": "/usr/local/Cellar/node/", + "osquery.result.columns.version": "8.9.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 32446, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "nvm", + "osquery.result.columns.path": "/usr/local/Cellar/nvm/", + "osquery.result.columns.version": "0.33.6", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 32813, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "oniguruma", + "osquery.result.columns.path": "/usr/local/Cellar/oniguruma/", + "osquery.result.columns.version": "6.6.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 33191, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "openssl", + "osquery.result.columns.path": "/usr/local/Cellar/openssl/", + "osquery.result.columns.version": "1.0.2l", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 33566, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "openssl", + "osquery.result.columns.path": "/usr/local/Cellar/openssl/", + "osquery.result.columns.version": "1.0.2m", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 33941, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "openssl@1.1", + "osquery.result.columns.path": "/usr/local/Cellar/openssl@1.1/", + "osquery.result.columns.version": "1.1.0f", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 34324, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "osquery", + "osquery.result.columns.path": "/usr/local/Cellar/osquery/", + "osquery.result.columns.version": "2.10.2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 34699, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "pcre", + "osquery.result.columns.path": "/usr/local/Cellar/pcre/", + "osquery.result.columns.version": "8.41", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 35066, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "perl", + "osquery.result.columns.path": "/usr/local/Cellar/perl/", + "osquery.result.columns.version": "5.26.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 35435, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "python", + "osquery.result.columns.path": "/usr/local/Cellar/python/", + "osquery.result.columns.version": "2.7.13_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 35810, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "rapidjson", + "osquery.result.columns.path": "/usr/local/Cellar/rapidjson/", + "osquery.result.columns.version": "1.1.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 36188, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "readline", + "osquery.result.columns.path": "/usr/local/Cellar/readline/", + "osquery.result.columns.version": "7.0.3_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 36566, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "redis", + "osquery.result.columns.path": "/usr/local/Cellar/redis/", + "osquery.result.columns.version": "4.0.2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 36936, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "rocksdb", + "osquery.result.columns.path": "/usr/local/Cellar/rocksdb/", + "osquery.result.columns.version": "5.8.7", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 37310, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "ruby", + "osquery.result.columns.path": "/usr/local/Cellar/ruby/", + "osquery.result.columns.version": "2.4.1_1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 37680, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "sleuthkit", + "osquery.result.columns.path": "/usr/local/Cellar/sleuthkit/", + "osquery.result.columns.version": "4.5.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 38058, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "snappy", + "osquery.result.columns.path": "/usr/local/Cellar/snappy/", + "osquery.result.columns.version": "1.1.7", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 38430, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "sqlite", + "osquery.result.columns.path": "/usr/local/Cellar/sqlite/", + "osquery.result.columns.version": "3.20.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 38803, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "telnet", + "osquery.result.columns.path": "/usr/local/Cellar/telnet/", + "osquery.result.columns.version": "54.50.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 39177, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "the_silver_searcher", + "osquery.result.columns.path": "/usr/local/Cellar/the_silver_searcher/", + "osquery.result.columns.version": "2.1.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 39575, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "tree", + "osquery.result.columns.path": "/usr/local/Cellar/tree/", + "osquery.result.columns.version": "1.7.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 39943, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "unibilium", + "osquery.result.columns.path": "/usr/local/Cellar/unibilium/", + "osquery.result.columns.version": "1.2.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 40321, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "vim", + "osquery.result.columns.path": "/usr/local/Cellar/vim/", + "osquery.result.columns.version": "8.0.0997", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 40690, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "webp", + "osquery.result.columns.path": "/usr/local/Cellar/webp/", + "osquery.result.columns.version": "0.6.0_2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 41060, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "xz", + "osquery.result.columns.path": "/usr/local/Cellar/xz/", + "osquery.result.columns.version": "5.2.3", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 41424, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "yara", + "osquery.result.columns.path": "/usr/local/Cellar/yara/", + "osquery.result.columns.version": "3.7.0", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 41792, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "zsh", + "osquery.result.columns.path": "/usr/local/Cellar/zsh/", + "osquery.result.columns.version": "5.4.1", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-28T14:39:51.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 42158, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 28 14:39:51 2017 UTC", + "osquery.result.columns.name": "zstd", + "osquery.result.columns.path": "/usr/local/Cellar/zstd/", + "osquery.result.columns.version": "1.3.2", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "4AB2906D-5516-5794-AF54-86D1D7F533F3", + "osquery.result.decorations.username": "tsg", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", + "osquery.result.name": "pack_it-compliance_homebrew_packages", + "osquery.result.unix_time": "1514471991", + "service.type": "osquery" + } +] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json new file mode 100644 index 00000000000..d9df59bd1db --- /dev/null +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -0,0 +1,2575 @@ +[ + { + "@timestamp": "2017-12-07T12:21:20.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 0, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 12:21:20 2017 UTC", + "osquery.result.columns.cpu_brand": "Intel(R) Core(TM) i7-7567U CPU @ 3.50GHz", + "osquery.result.columns.hostname": "ubuntu-xenial", + "osquery.result.columns.physical_memory": "1040322560", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.name": "osqueryd", + "osquery.result.decorations.path": "/usr/bin/osqueryd", + "osquery.result.decorations.pid": "10917", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "system_info", + "osquery.result.unix_time": "1512649280", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 443, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0380000", + "osquery.result.columns.name": "ufs", + "osquery.result.columns.size": "73728", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 822, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc032c000", + "osquery.result.columns.name": "msdos", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1203, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc03e2000", + "osquery.result.columns.name": "xfs", + "osquery.result.columns.size": "974848", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1583, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0373000", + "osquery.result.columns.name": "vboxsf", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 1965, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0368000", + "osquery.result.columns.name": "isofs", + "osquery.result.columns.size": "40960", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2346, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02a5000", + "osquery.result.columns.name": "ppdev", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 2727, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc030a000", + "osquery.result.columns.name": "input_leds", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3113, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0171000", + "osquery.result.columns.name": "serio_raw", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3498, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc039b000", + "osquery.result.columns.name": "vboxguest", + "osquery.result.columns.size": "286720", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "vboxsf", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 3889, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc035f000", + "osquery.result.columns.name": "parport_pc", + "osquery.result.columns.size": "32768", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4275, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02e7000", + "osquery.result.columns.name": "video", + "osquery.result.columns.size": "40960", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 4656, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0352000", + "osquery.result.columns.name": "parport", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ppdev,parport_pc", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5054, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0345000", + "osquery.result.columns.name": "ib_iser", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5437, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0332000", + "osquery.result.columns.name": "rdma_cm", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ib_iser", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 5826, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0320000", + "osquery.result.columns.name": "iw_cm", + "osquery.result.columns.size": "45056", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "rdma_cm", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6213, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc030f000", + "osquery.result.columns.name": "ib_cm", + "osquery.result.columns.size": "45056", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "rdma_cm", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6600, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0300000", + "osquery.result.columns.name": "ib_sa", + "osquery.result.columns.size": "36864", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "rdma_cm,ib_cm", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 6993, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02f3000", + "osquery.result.columns.name": "ib_mad", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ib_cm,ib_sa", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 7385, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02cc000", + "osquery.result.columns.name": "ib_core", + "osquery.result.columns.size": "106496", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ib_iser,rdma_cm,iw_cm,ib_cm,ib_sa,ib_mad", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 7808, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02a0000", + "osquery.result.columns.name": "ib_addr", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "rdma_cm,ib_core", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8205, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02c2000", + "osquery.result.columns.name": "iscsi_tcp", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8590, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02bb000", + "osquery.result.columns.name": "libiscsi_tcp", + "osquery.result.columns.size": "24576", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "iscsi_tcp", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 8986, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc02ad000", + "osquery.result.columns.name": "libiscsi", + "osquery.result.columns.size": "53248", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ib_iser,iscsi_tcp,libiscsi_tcp", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 9399, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0287000", + "osquery.result.columns.name": "scsi_transport_iscsi", + "osquery.result.columns.size": "98304", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ib_iser,iscsi_tcp,libiscsi", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 9820, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc027c000", + "osquery.result.columns.name": "autofs4", + "osquery.result.columns.size": "40960", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10203, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0189000", + "osquery.result.columns.name": "btrfs", + "osquery.result.columns.size": "991232", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10585, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0178000", + "osquery.result.columns.name": "raid10", + "osquery.result.columns.size": "49152", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 10967, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0155000", + "osquery.result.columns.name": "raid456", + "osquery.result.columns.size": "110592", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11351, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc014f000", + "osquery.result.columns.name": "async_raid6_recov", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "raid456", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 11750, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc000e000", + "osquery.result.columns.name": "async_memcpy", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "raid456,async_raid6_recov", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12162, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc014a000", + "osquery.result.columns.name": "async_pq", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "raid456,async_raid6_recov", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12570, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0119000", + "osquery.result.columns.name": "async_xor", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "raid456,async_raid6_recov,async_pq", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 12988, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0114000", + "osquery.result.columns.name": "async_tx", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "raid456,async_raid6_recov,async_memcpy,async_pq,async_xor", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 13428, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00b6000", + "osquery.result.columns.name": "xor", + "osquery.result.columns.size": "24576", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "btrfs,async_xor", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 13821, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0055000", + "osquery.result.columns.name": "raid6_pq", + "osquery.result.columns.size": "102400", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "btrfs,raid456,async_raid6_recov,async_pq", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 14245, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc004d000", + "osquery.result.columns.name": "libcrc32c", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "xfs,raid456", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 14640, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc003f000", + "osquery.result.columns.name": "raid1", + "osquery.result.columns.size": "36864", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15021, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0008000", + "osquery.result.columns.name": "raid0", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15402, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0000000", + "osquery.result.columns.name": "multipath", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 15787, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0013000", + "osquery.result.columns.name": "linear", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16169, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00e9000", + "osquery.result.columns.name": "crct10dif_pclmul", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16561, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00cc000", + "osquery.result.columns.name": "crc32_pclmul", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 16949, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc008a000", + "osquery.result.columns.name": "ghash_clmulni_intel", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17344, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0120000", + "osquery.result.columns.name": "aesni_intel", + "osquery.result.columns.size": "167936", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 17732, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc010e000", + "osquery.result.columns.name": "aes_x86_64", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "aesni_intel", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18128, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0106000", + "osquery.result.columns.name": "lrw", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "aesni_intel", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18517, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0101000", + "osquery.result.columns.name": "gf128mul", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "lrw", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 18903, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00c7000", + "osquery.result.columns.name": "glue_helper", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "aesni_intel", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19300, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00fa000", + "osquery.result.columns.name": "ablk_helper", + "osquery.result.columns.size": "16384", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "aesni_intel", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 19697, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00ef000", + "osquery.result.columns.name": "mptspi", + "osquery.result.columns.size": "24576", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20079, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00e0000", + "osquery.result.columns.name": "scsi_transport_spi", + "osquery.result.columns.size": "32768", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "mptspi", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20478, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00d1000", + "osquery.result.columns.name": "mptscsih", + "osquery.result.columns.size": "40960", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "mptspi", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 20867, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc00bd000", + "osquery.result.columns.name": "cryptd", + "osquery.result.columns.size": "20480", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "ghash_clmulni_intel,aesni_intel,ablk_helper", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21291, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0091000", + "osquery.result.columns.name": "psmouse", + "osquery.result.columns.size": "131072", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 21675, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc0070000", + "osquery.result.columns.name": "mptbase", + "osquery.result.columns.size": "102400", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "mptspi,mptscsih", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:15.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22073, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:15 2017 UTC", + "osquery.result.columns.address": "0xffffffffc001a000", + "osquery.result.columns.name": "e1000", + "osquery.result.columns.size": "135168", + "osquery.result.columns.status": "Live", + "osquery.result.columns.used_by": "-", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_kernel_modules", + "osquery.result.unix_time": "1512669435", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22455, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sda", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 22826, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sda1", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "ce24233e-85c4-4f5b-a084-25bb2493ad65", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23234, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sdb", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "2017-08-31-09-16-31-00", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 23627, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop0", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24000, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop1", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24373, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop2", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 24746, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop3", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25119, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop4", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25492, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop5", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 25865, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop6", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26238, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop7", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 26611, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.build": "", + "osquery.result.columns.codename": "xenial", + "osquery.result.columns.major": "16", + "osquery.result.columns.minor": "4", + "osquery.result.columns.name": "Ubuntu", + "osquery.result.columns.patch": "0", + "osquery.result.columns.platform": "ubuntu", + "osquery.result.columns.platform_like": "debian", + "osquery.result.columns.version": "16.04.3 LTS (Xenial Xerus)", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_os_version", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:18.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27065, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.build_distro": "xenial", + "osquery.result.columns.build_platform": "ubuntu", + "osquery.result.columns.config_hash": "316a3b407f3a225961bbcdb703efd3dc5d1a2d94", + "osquery.result.columns.config_valid": "1", + "osquery.result.columns.datetime": "2017-12-07T17:57:18Z", + "osquery.result.columns.day": "7", + "osquery.result.columns.extensions": "active", + "osquery.result.columns.hour": "17", + "osquery.result.columns.instance_id": "5a1e5efb-abc0-4230-9ec2-290e72fe098c", + "osquery.result.columns.iso_8601": "2017-12-07T17:57:18Z", + "osquery.result.columns.local_time": "1512669438", + "osquery.result.columns.local_timezone": "CET", + "osquery.result.columns.minutes": "57", + "osquery.result.columns.month": "12", + "osquery.result.columns.pid": "11550", + "osquery.result.columns.seconds": "18", + "osquery.result.columns.start_time": "1512669421", + "osquery.result.columns.timestamp": "Thu Dec 7 17:57:18 2017 UTC", + "osquery.result.columns.timezone": "GMT", + "osquery.result.columns.unix_time": "1512669438", + "osquery.result.columns.uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.columns.version": "2.10.2", + "osquery.result.columns.watcher": "1", + "osquery.result.columns.weekday": "Thursday", + "osquery.result.columns.year": "2017", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_osquery_info", + "osquery.result.unix_time": "1512669438", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 27975, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sda", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 28346, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sda1", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "ce24233e-85c4-4f5b-a084-25bb2493ad65", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 28754, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/sdb", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "2017-08-31-09-16-31-00", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29147, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop0", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29520, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop1", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 29893, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop2", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 30266, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop3", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 30639, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop4", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 31012, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop5", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 31385, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop6", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 31758, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.encrypted": "0", + "osquery.result.columns.name": "/dev/loop7", + "osquery.result.columns.type": "", + "osquery.result.columns.uid": "", + "osquery.result.columns.user_uuid": "", + "osquery.result.columns.uuid": "", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_disk_encryption", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 32131, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.build": "", + "osquery.result.columns.codename": "xenial", + "osquery.result.columns.major": "16", + "osquery.result.columns.minor": "4", + "osquery.result.columns.name": "Ubuntu", + "osquery.result.columns.patch": "0", + "osquery.result.columns.platform": "ubuntu", + "osquery.result.columns.platform_like": "debian", + "osquery.result.columns.version": "16.04.3 LTS (Xenial Xerus)", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_os_version", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:19.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 32585, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.build_distro": "xenial", + "osquery.result.columns.build_platform": "ubuntu", + "osquery.result.columns.config_hash": "316a3b407f3a225961bbcdb703efd3dc5d1a2d94", + "osquery.result.columns.config_valid": "1", + "osquery.result.columns.datetime": "2017-12-07T17:57:19Z", + "osquery.result.columns.day": "7", + "osquery.result.columns.extensions": "active", + "osquery.result.columns.hour": "17", + "osquery.result.columns.instance_id": "5a1e5efb-abc0-4230-9ec2-290e72fe098c", + "osquery.result.columns.iso_8601": "2017-12-07T17:57:19Z", + "osquery.result.columns.local_time": "1512669439", + "osquery.result.columns.local_timezone": "CET", + "osquery.result.columns.minutes": "57", + "osquery.result.columns.month": "12", + "osquery.result.columns.pid": "11631", + "osquery.result.columns.seconds": "19", + "osquery.result.columns.start_time": "1512669436", + "osquery.result.columns.timestamp": "Thu Dec 7 17:57:19 2017 UTC", + "osquery.result.columns.timezone": "GMT", + "osquery.result.columns.unix_time": "1512669439", + "osquery.result.columns.uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.columns.version": "2.10.2", + "osquery.result.columns.watcher": "11629", + "osquery.result.columns.weekday": "Thursday", + "osquery.result.columns.year": "2017", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_osquery_info", + "osquery.result.unix_time": "1512669439", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 33499, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "sysfs", + "osquery.result.columns.device_alias": "sysfs", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys", + "osquery.result.columns.type": "sysfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 33999, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "proc", + "osquery.result.columns.device_alias": "/proc", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/proc", + "osquery.result.columns.type": "proc", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 34499, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "124670", + "osquery.result.columns.blocks_available": "124670", + "osquery.result.columns.blocks_free": "124670", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "udev", + "osquery.result.columns.device_alias": "udev", + "osquery.result.columns.flags": "rw,nosuid,relatime,size=498680k,nr_inodes=124670,mode=755", + "osquery.result.columns.inodes": "124670", + "osquery.result.columns.inodes_free": "124285", + "osquery.result.columns.path": "/dev", + "osquery.result.columns.type": "devtmpfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 35051, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "devpts", + "osquery.result.columns.device_alias": "devpts", + "osquery.result.columns.flags": "rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/dev/pts", + "osquery.result.columns.type": "devpts", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 35581, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "25399", + "osquery.result.columns.blocks_available": "24296", + "osquery.result.columns.blocks_free": "24296", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "tmpfs", + "osquery.result.columns.device_alias": "tmpfs", + "osquery.result.columns.flags": "rw,nosuid,noexec,relatime,size=101596k,mode=755", + "osquery.result.columns.inodes": "126992", + "osquery.result.columns.inodes_free": "126503", + "osquery.result.columns.path": "/run", + "osquery.result.columns.type": "tmpfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 36119, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "2524617", + "osquery.result.columns.blocks_available": "1982549", + "osquery.result.columns.blocks_free": "1986645", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "/dev/sda1", + "osquery.result.columns.device_alias": "/dev/sda1", + "osquery.result.columns.flags": "rw,relatime,data=ordered", + "osquery.result.columns.inodes": "1280000", + "osquery.result.columns.inodes_free": "1159125", + "osquery.result.columns.path": "/", + "osquery.result.columns.type": "ext4", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 36650, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "securityfs", + "osquery.result.columns.device_alias": "securityfs", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/kernel/security", + "osquery.result.columns.type": "securityfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 37183, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "126992", + "osquery.result.columns.blocks_available": "126992", + "osquery.result.columns.blocks_free": "126992", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "tmpfs", + "osquery.result.columns.device_alias": "tmpfs", + "osquery.result.columns.flags": "rw,nosuid,nodev", + "osquery.result.columns.inodes": "126992", + "osquery.result.columns.inodes_free": "126991", + "osquery.result.columns.path": "/dev/shm", + "osquery.result.columns.type": "tmpfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 37697, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "1280", + "osquery.result.columns.blocks_available": "1280", + "osquery.result.columns.blocks_free": "1280", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "tmpfs", + "osquery.result.columns.device_alias": "tmpfs", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,size=5120k", + "osquery.result.columns.inodes": "126992", + "osquery.result.columns.inodes_free": "126989", + "osquery.result.columns.path": "/run/lock", + "osquery.result.columns.type": "tmpfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 38233, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "126992", + "osquery.result.columns.blocks_available": "126992", + "osquery.result.columns.blocks_free": "126992", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "tmpfs", + "osquery.result.columns.device_alias": "tmpfs", + "osquery.result.columns.flags": "ro,nosuid,nodev,noexec,mode=755", + "osquery.result.columns.inodes": "126992", + "osquery.result.columns.inodes_free": "126976", + "osquery.result.columns.path": "/sys/fs/cgroup", + "osquery.result.columns.type": "tmpfs", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 38770, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/systemd", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 39365, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "pstore", + "osquery.result.columns.device_alias": "pstore", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/pstore", + "osquery.result.columns.type": "pstore", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 39880, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,cpu,cpuacct", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/cpu,cpuacct", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 40420, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,perf_event", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/perf_event", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 40958, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,pids", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/pids", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 41484, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,cpuset", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/cpuset", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + }, + { + "@timestamp": "2017-12-07T17:57:21.000Z", + "ecs.version": "1.0.0", + "event.dataset": "osquery.result", + "event.module": "osquery", + "fileset.name": "result", + "input.type": "log", + "log.offset": 42014, + "osquery.result.action": "added", + "osquery.result.calendar_time": "Thu Dec 7 17:57:21 2017 UTC", + "osquery.result.columns.blocks": "0", + "osquery.result.columns.blocks_available": "0", + "osquery.result.columns.blocks_free": "0", + "osquery.result.columns.blocks_size": "4096", + "osquery.result.columns.device": "cgroup", + "osquery.result.columns.device_alias": "cgroup", + "osquery.result.columns.flags": "rw,nosuid,nodev,noexec,relatime,blkio", + "osquery.result.columns.inodes": "0", + "osquery.result.columns.inodes_free": "0", + "osquery.result.columns.path": "/sys/fs/cgroup/blkio", + "osquery.result.columns.type": "cgroup", + "osquery.result.counter": "0", + "osquery.result.decorations.host_uuid": "72E1287B-D1BC-4FC6-B9D8-64F4352776A9", + "osquery.result.decorations.username": "ubuntu", + "osquery.result.epoch": "0", + "osquery.result.host_identifier": "ubuntu-xenial", + "osquery.result.name": "pack_it-compliance_mounts", + "osquery.result.unix_time": "1512669441", + "service.type": "osquery" + } +] \ No newline at end of file diff --git a/filebeat/module/postgresql/log/test/postgresql-ubuntu-9.5.log-expected.json b/filebeat/module/postgresql/log/test/postgresql-ubuntu-9.5.log-expected.json new file mode 100644 index 00000000000..e960a49642a --- /dev/null +++ b/filebeat/module/postgresql/log/test/postgresql-ubuntu-9.5.log-expected.json @@ -0,0 +1,1248 @@ +[ + { + "@timestamp": "2017-04-03T22:32:14.322Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 0, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-03 22:32:14.322", + "process.pid": 31225, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-03T22:32:14.322Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 118, + "message": "unexpected EOF on client connection with an open transaction", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-03 22:32:14.322", + "process.pid": 31225, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-03T22:35:22.389Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 236, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-03 22:35:22.389", + "process.pid": 3474, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-03T22:36:56.464Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 353, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-03 22:36:56.464", + "process.pid": 3525, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-03T22:37:12.961Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 470, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-03 22:37:12.961", + "process.pid": 3570, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T21:05:28.549Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 587, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 21:05:28.549", + "process.pid": 21483, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T21:09:41.345Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 705, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 21:09:41.345", + "process.pid": 21597, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T22:45:30.218Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 823, + "message": "operator does not exist: jsonb @> at character 49", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 22:45:30.218", + "process.pid": 22603, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T22:45:30.218Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "HINT", + "log.offset": 932, + "message": "No operator matches the given name and argument type(s). You might need to add explicit type casts.", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 22:45:30.218", + "process.pid": 22603, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T22:45:30.218Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 1090, + "message": "SELECT id, user FROM users WHERE NOT user @> %s", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 22:45:30.218", + "process.pid": 22603, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T22:46:09.751Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 1201, + "message": "column \"%s\" does not exist at character 52", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 22:46:09.751", + "process.pid": 22608, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T22:46:09.751Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 1303, + "message": "SELECT id, user FROM users WHERE NOT user @> \"%s\"", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 22:46:09.751", + "process.pid": 22608, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:02:51.199Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 1416, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:02:51.199", + "process.pid": 24341, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:02:51.199Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 1534, + "message": "unexpected EOF on client connection with an open transaction", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:02:51.199", + "process.pid": 24341, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:04:36.087Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 1652, + "message": "syntax error at or near \"{\" at character 49", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:04:36.087", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:04:36.087Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 1755, + "message": "INSERT INTO users (id, user) VALUES (1, {\"attr\": \"yes\"});", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:04:36.087", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:04:51.462Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 1876, + "message": "syntax error at or near \"{\" at character 49", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:04:51.462", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:04:51.462Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 1979, + "message": "INSERT INTO users (id, user) VALUES (1, {attr: \"yes\"});", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:04:51.462", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:05:06.217Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 2098, + "message": "column \"a\" does not exist at character 42", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:05:06.217", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:05:06.217Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 2199, + "message": "INSERT INTO users (id, user) VALUES (1, '{\"attr\": \"yes\"}');", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:05:06.217", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:05:18.295Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 2322, + "message": "column \"attr\" does not exist at character 42", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:05:18.295", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:05:18.295Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 2426, + "message": "INSERT INTO users (id, user) VALUES (\"1\", '{\"attr\": \"no\"}');", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:05:18.295", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:13:47.505Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 2550, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:13:47.505", + "process.pid": 24489, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-07T23:13:47.505Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 2668, + "message": "unexpected EOF on client connection with an open transaction", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-07 23:13:47.505", + "process.pid": 24489, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T12:32:51.056Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "ERROR", + "log.offset": 2786, + "message": "duplicate key value violates unique constraint \"users_pkey\"", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-08 12:32:51.056", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T12:32:51.056Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "DETAIL", + "log.offset": 2905, + "message": "Key (id)=(1) already exists.", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-08 12:32:51.056", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T12:32:51.056Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "STATEMENT", + "log.offset": 2994, + "message": "INSERT INTO users (id, user) VALUES ('1', '{\"attr\": \"yes\"}');", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-08 12:32:51.056", + "process.pid": 20730, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T21:54:37.443Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3119, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-08 21:54:37.443", + "process.pid": 30630, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T21:54:37.468Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3237, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-04-08 21:54:37.468", + "process.pid": 30502, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-04-08T21:54:37.618Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3355, + "message": "received fast shutdown request", + "postgresql.log.timestamp": "2017-04-08 21:54:37.618", + "process.pid": 20769, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:54:37.618Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3429, + "message": "aborting any active transactions", + "postgresql.log.timestamp": "2017-04-08 21:54:37.618", + "process.pid": 20769, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:54:37.618Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3505, + "message": "autovacuum launcher shutting down", + "postgresql.log.timestamp": "2017-04-08 21:54:37.618", + "process.pid": 20774, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:54:37.622Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3582, + "message": "shutting down", + "postgresql.log.timestamp": "2017-04-08 21:54:37.622", + "process.pid": 20771, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:54:37.644Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3639, + "message": "database system is shut down", + "postgresql.log.timestamp": "2017-04-08 21:54:37.644", + "process.pid": 20769, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:56:02.932Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3711, + "message": "database system was shut down at 2017-04-08 21:54:37 CEST", + "postgresql.log.timestamp": "2017-04-08 21:56:02.932", + "process.pid": 797, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:56:02.944Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3810, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-04-08 21:56:02.944", + "process.pid": 797, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:56:02.946Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3907, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-04-08 21:56:02.946", + "process.pid": 780, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:56:02.947Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 3995, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-04-08 21:56:02.947", + "process.pid": 802, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-04-08T21:56:03.362Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4064, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-04-08 21:56:03.362", + "process.pid": 891, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-05-27T14:07:53.007Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4151, + "message": "database system was shut down at 2017-05-27 14:07:52 UTC", + "postgresql.log.timestamp": "2017-05-27 14:07:53.007", + "process.pid": 32567, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-05-27T14:07:53.010Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4250, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-05-27 14:07:53.010", + "process.pid": 32567, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-05-27T14:07:53.015Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4348, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-05-27 14:07:53.015", + "process.pid": 32566, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-05-27T14:07:53.016Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4437, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-05-27 14:07:53.016", + "process.pid": 32571, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-05-27T14:07:53.463Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4507, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-05-27 14:07:53.463", + "process.pid": 32573, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-05-27T14:08:13.661Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "FATAL", + "log.offset": 4595, + "message": "database \"mydb\" does not exist", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-05-27 14:08:13.661", + "process.pid": 1308, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-05-27T14:59:26.553Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4683, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-05-27 14:59:26.553", + "process.pid": 1994, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-05-27T14:59:26.555Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "UTC", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4799, + "message": "could not receive data from client: Connection reset by peer", + "postgresql.log.database": "mydb", + "postgresql.log.timestamp": "2017-05-27 14:59:26.555", + "process.pid": 1989, + "service.type": "postgresql", + "user.name": "postgres" + }, + { + "@timestamp": "2017-06-06T07:54:13.753Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4915, + "message": "received fast shutdown request", + "postgresql.log.timestamp": "2017-06-06 07:54:13.753", + "process.pid": 9110, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:54:13.753Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 4988, + "message": "aborting any active transactions", + "postgresql.log.timestamp": "2017-06-06 07:54:13.753", + "process.pid": 9110, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:54:13.753Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5063, + "message": "autovacuum launcher shutting down", + "postgresql.log.timestamp": "2017-06-06 07:54:13.753", + "process.pid": 9115, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:54:13.755Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5139, + "message": "shutting down", + "postgresql.log.timestamp": "2017-06-06 07:54:13.755", + "process.pid": 9112, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:54:13.816Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5195, + "message": "database system is shut down", + "postgresql.log.timestamp": "2017-06-06 07:54:13.816", + "process.pid": 9110, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:55:39.725Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5266, + "message": "database system was shut down at 2017-06-06 07:54:13 CEST", + "postgresql.log.timestamp": "2017-06-06 07:55:39.725", + "process.pid": 12969, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:55:39.736Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5367, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-06-06 07:55:39.736", + "process.pid": 12969, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:55:39.739Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5466, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-06-06 07:55:39.739", + "process.pid": 12968, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:55:39.739Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5556, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-06-06 07:55:39.739", + "process.pid": 12973, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-06T07:55:40.155Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5627, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-06-06 07:55:40.155", + "process.pid": 12975, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-06-06T07:55:40.156Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5716, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-06-06 07:55:40.156", + "process.pid": 12975, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-06-10T19:37:30.681Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5805, + "message": "database system was shut down at 2017-06-10 19:37:29 CEST", + "postgresql.log.timestamp": "2017-06-10 19:37:30.681", + "process.pid": 17398, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T19:37:30.695Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 5906, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-06-10 19:37:30.695", + "process.pid": 17398, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T19:37:30.702Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6005, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-06-10 19:37:30.702", + "process.pid": 17397, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T19:37:30.702Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6095, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-06-10 19:37:30.702", + "process.pid": 17402, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T19:37:31.104Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6166, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-06-10 19:37:31.104", + "process.pid": 17404, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-06-10T20:27:55.911Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6255, + "message": "received fast shutdown request", + "postgresql.log.timestamp": "2017-06-10 20:27:55.911", + "process.pid": 17397, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:55.911Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6329, + "message": "aborting any active transactions", + "postgresql.log.timestamp": "2017-06-10 20:27:55.911", + "process.pid": 17397, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:55.911Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6405, + "message": "autovacuum launcher shutting down", + "postgresql.log.timestamp": "2017-06-10 20:27:55.911", + "process.pid": 17402, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:55.914Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6482, + "message": "shutting down", + "postgresql.log.timestamp": "2017-06-10 20:27:55.914", + "process.pid": 17399, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:55.973Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6539, + "message": "database system is shut down", + "postgresql.log.timestamp": "2017-06-10 20:27:55.973", + "process.pid": 17397, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:57.022Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6611, + "message": "database system was shut down at 2017-06-10 20:27:55 CEST", + "postgresql.log.timestamp": "2017-06-10 20:27:57.022", + "process.pid": 24490, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:57.032Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6712, + "message": "MultiXact member wraparound protections are now enabled", + "postgresql.log.timestamp": "2017-06-10 20:27:57.032", + "process.pid": 24490, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:57.035Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6811, + "message": "autovacuum launcher started", + "postgresql.log.timestamp": "2017-06-10 20:27:57.035", + "process.pid": 24494, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:57.035Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6882, + "message": "database system is ready to accept connections", + "postgresql.log.timestamp": "2017-06-10 20:27:57.035", + "process.pid": 24489, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-10T20:27:57.475Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 6972, + "message": "incomplete startup packet", + "postgresql.log.database": "unknown", + "postgresql.log.timestamp": "2017-06-10 20:27:57.475", + "process.pid": 24496, + "service.type": "postgresql", + "user.name": "unknown" + }, + { + "@timestamp": "2017-06-17T16:58:03.937Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 7061, + "message": "received fast shutdown request", + "postgresql.log.timestamp": "2017-06-17 16:58:03.937", + "process.pid": 24489, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-17T16:58:03.937Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 7135, + "message": "aborting any active transactions", + "postgresql.log.timestamp": "2017-06-17 16:58:03.937", + "process.pid": 24489, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-17T16:58:03.938Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 7211, + "message": "autovacuum launcher shutting down", + "postgresql.log.timestamp": "2017-06-17 16:58:03.938", + "process.pid": 24494, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-17T16:58:03.940Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 7288, + "message": "shutting down", + "postgresql.log.timestamp": "2017-06-17 16:58:03.940", + "process.pid": 24491, + "service.type": "postgresql" + }, + { + "@timestamp": "2017-06-17T16:58:04.040Z", + "ecs.version": "1.0.0", + "event.dataset": "postgresql.log", + "event.module": "postgresql", + "event.timezone": "CEST", + "fileset.name": "log", + "input.type": "log", + "log.level": "LOG", + "log.offset": 7345, + "message": "database system is shut down", + "postgresql.log.timestamp": "2017-06-17 16:58:04.040", + "process.pid": 24489, + "service.type": "postgresql" + } +] \ No newline at end of file diff --git a/filebeat/module/redis/log/test/redis-darwin-3.0.2.log-expected.json b/filebeat/module/redis/log/test/redis-darwin-3.0.2.log-expected.json new file mode 100644 index 00000000000..20c494c9064 --- /dev/null +++ b/filebeat/module/redis/log/test/redis-darwin-3.0.2.log-expected.json @@ -0,0 +1,232 @@ +[ + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 0, + "message": "Increased maximum number of open files to 10032 (it was originally set to 4864).", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 1261, + "message": "Server started, Redis version 3.0.2", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 1326, + "message": "DB loaded from disk: 0.001 seconds", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 1390, + "message": "The server is now ready to accept connections on port 6379", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1478, + "message": "Received SIGINT scheduling shutdown...", + "process.pid": 4961, + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 1550, + "message": "User requested shutdown...", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 1606, + "message": "Saving the final RDB snapshot before exiting.", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 1681, + "message": "DB saved on disk", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 1727, + "message": "Redis is now ready to exit, bye bye...", + "process.pid": 4961, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 1795, + "message": "Increased maximum number of open files to 10032 (it was originally set to 4864).", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 3056, + "message": "Server started, Redis version 3.0.2", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 3121, + "message": "DB loaded from disk: 0.000 seconds", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 3185, + "message": "The server is now ready to accept connections on port 6379", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3273, + "message": "Received SIGINT scheduling shutdown...", + "process.pid": 5092, + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 3345, + "message": "User requested shutdown...", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 3401, + "message": "Saving the final RDB snapshot before exiting.", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 3476, + "message": "DB saved on disk", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 3522, + "message": "Redis is now ready to exit, bye bye...", + "process.pid": 5092, + "redis.log.role": "master", + "service.type": "redis" + } +] \ No newline at end of file diff --git a/filebeat/module/redis/log/test/redis-debian-1.2.6.log-expected.json b/filebeat/module/redis/log/test/redis-debian-1.2.6.log-expected.json new file mode 100644 index 00000000000..6eaef19df79 --- /dev/null +++ b/filebeat/module/redis/log/test/redis-debian-1.2.6.log-expected.json @@ -0,0 +1,1102 @@ +[ + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 0, + "message": "Server started, Redis version 1.2.6", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 54, + "message": "WARNING overcommit_memory is set to 0! Background save may fail under low condition memory. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 325, + "message": "The server is now ready to accept connections on port 6379", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 402, + "message": "Server started, Redis version 1.2.6", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 456, + "message": "WARNING overcommit_memory is set to 0! Background save may fail under low condition memory. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 727, + "message": "The server is now ready to accept connections on port 6379", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 804, + "message": "Server started, Redis version 1.2.6", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 858, + "message": "WARNING overcommit_memory is set to 0! Background save may fail under low condition memory. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1129, + "message": "The server is now ready to accept connections on port 6379", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1206, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1294, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1382, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1470, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1558, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1646, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1734, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1822, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1910, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 1998, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2086, + "message": "0 clients connected (0 slaves), 618932 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2174, + "message": "Accepted 127.0.0.1:56742", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2217, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2305, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2393, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2481, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2569, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2657, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2745, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2833, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 2921, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3009, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3097, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3185, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3273, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3361, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3449, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3537, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3625, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3713, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3801, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3889, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 3977, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4065, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4153, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4241, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4329, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4417, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4505, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4593, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4681, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4769, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4857, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 4945, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5033, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5121, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5209, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5297, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5385, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5473, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5561, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5649, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5737, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5825, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 5913, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6001, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6089, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6177, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6265, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6353, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6441, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6529, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6617, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6705, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6793, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6881, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 6969, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7057, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7145, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7233, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7321, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7409, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7497, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7585, + "message": "1 clients connected (0 slaves), 619381 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7673, + "message": "Closing idle client", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7711, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7799, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7887, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 7975, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8063, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8151, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8239, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8327, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8415, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8503, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8591, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8679, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8767, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8855, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 8943, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "debug", + "log.offset": 9031, + "message": "0 clients connected (0 slaves), 619100 bytes in use, 0 shared objects", + "service.type": "redis" + } +] \ No newline at end of file diff --git a/filebeat/module/redis/log/test/redis-windows-2.4.6.log-expected.json b/filebeat/module/redis/log/test/redis-windows-2.4.6.log-expected.json new file mode 100644 index 00000000000..fc438b666db --- /dev/null +++ b/filebeat/module/redis/log/test/redis-windows-2.4.6.log-expected.json @@ -0,0 +1,376 @@ +[ + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 0, + "message": "Server started, Redis version 2.4.6", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "warning", + "log.offset": 61, + "message": "Open data file dump.rdb: No such file or directory", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "notice", + "log.offset": 137, + "message": "The server is now ready to accept connections on port 6379", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 221, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 299, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 377, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 455, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 533, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 611, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 689, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 767, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 845, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 923, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1001, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1079, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1157, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1235, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1313, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1391, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1469, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1547, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1625, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1703, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1781, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1859, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 1937, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2015, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2093, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2171, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2249, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2327, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2405, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2483, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "redis.log", + "event.module": "redis", + "fileset.name": "log", + "input.type": "log", + "log.level": "verbose", + "log.offset": 2561, + "message": "0 clients connected (0 slaves), 1179968 bytes in use", + "service.type": "redis" + } +] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json new file mode 100644 index 00000000000..9a0d53901ed --- /dev/null +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -0,0 +1,1327 @@ +[ + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 0, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 81, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 464, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 570, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 655, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 736, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xspkubktopzqiwiofvdhqaglconkrgwp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675181.24-158548606882799/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1121, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1227, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1312, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1393, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vxcrqvczsrjrrsjcokculalhrgfsxqzl; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675202.4-199750250589919/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1776, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1882, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 1967, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 2048, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-gruorqbeefuuhfprfoqzsftalatgwwvf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675203.3-59927285912173/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 2426, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 2532, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 2617, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 2698, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-fnthqelgspkbnpnxlsknzcbyxbqqxpmt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675204.07-135388534337396/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 3083, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 3189, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 3274, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "input.type": "log", + "log.offset": 3355, + "message": "last message repeated 2 times", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 3414, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-wagdvfiuqxtryvmyrqlfcwoxeqqrxejt; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/async_wrapper 321853834469 45 /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/command /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/arguments; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675206.28-198308747142204/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 3977, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4083, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4168, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4249, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lkgydmrwiywdfvxfoxmgntufiumtzpmq; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675212.66-81790186240643/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4632, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4738, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4823, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 4904, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-mjsapklbglujaoktlsyytirwygexdily; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675218.96-234174787135180/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 5289, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 5395, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 5480, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 5561, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-kvmafqtdnnvnyfyqlnoovickcavkqwdy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/setup; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675219.83-99205535237718/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 5942, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6048, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6133, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6214, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-nhrnwbdpypmsmvcstuihfqfbcvpxrmys; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675224.58-12467498973476/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6597, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6703, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6788, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 6869, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-buzartmsbrirxgcoibjpsqjkldihhexh; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675228.25-195852789001210/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 7254, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 7360, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 7445, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 7526, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-swwkpvmnxhcuduxerfbgclhsmgbhwzie; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675247.78-128146395950020/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 7911, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8017, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8102, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8183, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-raffykohamlcbnpxzipksbvfpjbfpagy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675250.82-190689706060358/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8564, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8670, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8755, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 8836, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-dfoxiractbmtavfiwfnhzfkftipjumph; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675251.6-137767038423665/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9215, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9321, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9406, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9487, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-jveaoynmhsmeodakzfhhaodihyroxobu; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675261.29-208287411335817/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9869, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 9975, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 10060, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] && rc=3; python -V 2>/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] && echo \"${rc} \"/etc/metricbeat/metricbeat.yml && exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) > 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2>/dev/null) || (echo '0 ", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11099, + "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11195, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11301, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11386, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11467, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11548, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-yesyhegdrhiolusidthffdemrxphqdfm; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/copy; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675262.15-83340738940485/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 11928, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12034, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12119, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12200, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-vqbyiylfjufyxlwvxcwusklrtmiekpia; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675263.16-15325827909434/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12583, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12689, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12774, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 12855, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-osrbplljwskuafamtjuanhwfxqdxmfbj; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/wait_for; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675264.47-179299683847940/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 13241, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 13347, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 13432, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 13513, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-xqypdfdxashhaekghbfnpdlcgsmfarmy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/service; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675265.39-273766954542007/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 13898, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14004, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14089, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14170, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ktkmpxhjivossxngupfgrqfobhopruzp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/apt; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675266.58-47565152594552/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14549, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14655, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14740, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 14821, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-erpqyqrmifxazcclvbqytjwxgdplhtpy; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/file; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675275.74-155140815824587/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15203, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15309, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15394, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15475, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-cfqjebskszjdqpksprlbjpbttastwzyp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675276.62-248748589735433/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15860, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 15966, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16051, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16132, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-oxbowrzvfhsebemuiblilqwvdxvnwztv; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675280.28-272460786101534/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16517, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16623, + "message": "pam_unix(sudo:session): session closed for user root", + "process.name": "sudo", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16708, + "message": "subsystem request for sftp by user vagrant", + "process.name": "sshd", + "process.pid": 8317, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "precise32", + "input.type": "log", + "log.offset": 16789, + "process.name": "sudo", + "service.type": "system", + "system.auth.sudo.command": "/bin/sh -c echo BECOME-SUCCESS-ohlhhhazvtawqawluadjlxglowwenmyc; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/command; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675302.51-201837201796085/ >/dev/null 2>&1", + "system.auth.sudo.pwd": "/home/vagrant", + "system.auth.sudo.tty": "pts/0", + "system.auth.sudo.user": "root", + "user.name": "vagrant" + } +] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json new file mode 100644 index 00000000000..92f3d5e29fb --- /dev/null +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -0,0 +1,1792 @@ +[ + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 0, + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1786, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 97, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 209, + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1786, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 306, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 418, + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1786, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 515, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 618, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 760, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2738, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 842, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 993, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1105, + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3576, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1202, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1314, + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3576, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1411, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1523, + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3576, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1620, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1732, + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3576, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1829, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 1941, + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3576, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2038, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2141, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2283, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2742, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2365, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2516, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2628, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2777, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2889, + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 2986, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3098, + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 26714, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3194, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3306, + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3403, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3515, + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 26714, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3611, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3723, + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3820, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 3932, + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 26714, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4028, + "message": "Received disconnect from 116.31.116.27: 11: [preauth]", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4119, + "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", + "process.name": "sshd", + "process.pid": 2758, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4259, + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4356, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4468, + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4565, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4668, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4810, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2754, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 4892, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5043, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5155, + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1605, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5252, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5364, + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1605, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5461, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5573, + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1605, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5670, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5782, + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1605, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5879, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 5991, + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1605, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6088, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6191, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6333, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2762, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6415, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6566, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6678, + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1166, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6775, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6887, + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1166, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 6984, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7096, + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1166, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7193, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7305, + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1166, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7402, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7514, + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1166, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7611, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7714, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7856, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2766, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 7938, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8087, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8199, + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 13996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8295, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8407, + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 13996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8503, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8615, + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 23.1167, + "source.geo.location.lon": 113.25, + "source.geo.region_iso_code": "CN-GD", + "source.geo.region_name": "Guangdong", + "source.ip": "116.31.116.27", + "source.port": 13996, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8711, + "message": "Received disconnect from 116.31.116.27: 11: [preauth]", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8802, + "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", + "process.name": "sshd", + "process.pid": 2778, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 8942, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9093, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9205, + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3300, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9302, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9414, + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3300, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9511, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9623, + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3300, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9720, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9832, + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3300, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 9929, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10041, + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 3300, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10138, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10241, + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10383, + "message": "PAM service(sshd) ignoring max retries; 5 > 3", + "process.name": "sshd", + "process.pid": 2785, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10465, + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", + "process.name": "sshd", + "process.pid": 2797, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10616, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2797, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", + "event.dataset": "system.auth", + "event.module": "system", + "event.outcome": "failure", + "event.type": "authentication_failure", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10728, + "process.name": "sshd", + "process.pid": 2797, + "service.type": "system", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 28.55, + "source.geo.location.lon": 115.9333, + "source.geo.region_iso_code": "CN-JX", + "source.geo.region_name": "Jiangxi", + "source.ip": "202.109.143.106", + "source.port": 1347, + "system.auth.ssh.event": "Failed", + "system.auth.ssh.method": "password", + "user.name": "root" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.auth", + "event.module": "system", + "fileset.name": "auth", + "host.hostname": "slave22", + "input.type": "log", + "log.offset": 10825, + "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", + "process.name": "sshd", + "process.pid": 2797, + "service.type": "system" + } +] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index b33632f39fd..d44abb0a1f0 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -1,12 +1,11 @@ [ { "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", "event.dataset": "system.auth", "event.module": "system", - "system.auth.ssh.event": "Accepted", "event.outcome": "success", - "event.category": "authentication", - "event.action": "ssh_login", "event.type": "authentication_success", "fileset.name": "auth", "host.hostname": "localhost", @@ -17,18 +16,18 @@ "service.type": "system", "source.ip": "10.0.2.2", "source.port": 63673, + "system.auth.ssh.event": "Accepted", "system.auth.ssh.method": "publickey", "system.auth.ssh.signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84", "user.name": "vagrant" }, { "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", "event.dataset": "system.auth", "event.module": "system", - "system.auth.ssh.event": "Accepted", "event.outcome": "success", - "event.category": "authentication", - "event.action": "ssh_login", "event.type": "authentication_success", "fileset.name": "auth", "host.hostname": "localhost", @@ -39,17 +38,17 @@ "service.type": "system", "source.ip": "192.168.33.1", "source.port": 58803, + "system.auth.ssh.event": "Accepted", "system.auth.ssh.method": "password", "user.name": "vagrant" }, { "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", "event.dataset": "system.auth", "event.module": "system", - "system.auth.ssh.event": "Invalid", "event.outcome": "failure", - "event.category": "authentication", - "event.action": "ssh_login", "event.type": "authentication_failure", "fileset.name": "auth", "host.hostname": "localhost", @@ -59,16 +58,16 @@ "process.pid": 3430, "service.type": "system", "source.ip": "10.0.2.2", + "system.auth.ssh.event": "Invalid", "user.name": "test" }, { "ecs.version": "1.0.0", + "event.action": "ssh_login", + "event.category": "authentication", "event.dataset": "system.auth", "event.module": "system", - "system.auth.ssh.event": "Failed", "event.outcome": "failure", - "event.category": "authentication", - "event.action": "ssh_login", "event.type": "authentication_failure", "fileset.name": "auth", "host.hostname": "slave22", @@ -85,6 +84,7 @@ "source.geo.region_name": "Guangdong", "source.ip": "116.31.116.24", "source.port": 29160, + "system.auth.ssh.event": "Failed", "system.auth.ssh.method": "password", "user.name": "root" }, @@ -186,4 +186,4 @@ "user.id": "48", "user.name": "apache" } -] +] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json new file mode 100644 index 00000000000..3fcc039742d --- /dev/null +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -0,0 +1,1302 @@ +[ + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 0, + "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 220, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 1127, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 1396, + "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1612, + "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t>,\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t>\n\t)}\n\tUsing server: \n\t>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 2833, + "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 3377, + "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3925, + "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 5675, + "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 6055, + "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 6436, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 6719, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 6943, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 7166, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 7543, + "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 7722, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 8050, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 8251, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 8631, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 8787, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 8993, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 9136, + "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", + "process.name": "ksfetch", + "process.pid": 21414, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 9276, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t<>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 9540, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 9931, + "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 11060, + "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 11357, + "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 11599, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 11823, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 12055, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 12281, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 12522, + "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 12761, + "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=\n\t\tserverInfoStore=\n\t\terrors=0\n\t>", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 13788, + "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 14098, + "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats ", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 14537, + "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 14773, + "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 21412, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 14975, + "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 15238, + "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 15501, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 15716, + "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 15979, + "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 16242, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 16312, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 16527, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 16689, + "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 16952, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 17167, + "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 17430, + "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 17693, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 17908, + "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 18171, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 18241, + "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 18504, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 18719, + "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 18982, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 19144, + "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 19407, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 19622, + "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 19885, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 19955, + "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", + "process.name": "Slack Helper", + "process.pid": 55199, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 20078, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 20293, + "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 20556, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 20771, + "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 21034, + "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 21297, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 21367, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 21582, + "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 21845, + "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 22108, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 22323, + "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 22586, + "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 22849, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 23064, + "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 23327, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 23397, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 23559, + "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 23822, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 24037, + "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", + "process.name": "Slack Helper", + "process.pid": 55199, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 24160, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 24375, + "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", + "process.name": "Slack Helper", + "process.pid": 55199, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 24498, + "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 24761, + "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 25024, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 25094, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 25309, + "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 25572, + "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: ", + "process.name": "GoogleSoftwareUpdateAgent", + "process.pid": 22318, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 26456, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 26671, + "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 26934, + "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", + "process.name": "Slack Helper", + "process.pid": 55199, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27057, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", + "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27219, + "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", + "process.name": "Slack Helper", + "process.pid": 55199, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27342, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27557, + "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27820, + "message": "ASL Sender Statistics", + "process.name": "syslogd", + "process.pid": 46, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 27890, + "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 28153, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", + "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])", + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 28368, + "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + }, + { + "ecs.version": "1.0.0", + "event.dataset": "system.syslog", + "event.module": "system", + "fileset.name": "syslog", + "host.hostname": "a-mac-with-esc-key", + "input.type": "log", + "log.offset": 28631, + "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", + "process.name": "Google Chrome", + "process.pid": 85294, + "service.type": "system" + } +] \ No newline at end of file diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 322694c4d29..874c1ae35e7 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -167,8 +167,7 @@ def run_on_file(self, module, fileset, test_file, cfgfile): else: self.assert_fields_are_documented(obj) - if os.path.exists(test_file + "-expected.json"): - self._test_expected_events(test_file, objects) + self._test_expected_events(test_file, objects) def _test_expected_events(self, test_file, objects):