Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New fileset for googlecloud firewall logs #14553

Merged
merged 11 commits into from
Nov 19, 2019

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Nov 15, 2019

This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:

  • Logging needs to be enabled for each individual rule in order to log.
  • Only TCP and UDP rules can be logged.

See https://cloud.google.com/vpc/docs/using-firewall-rules-logging.

@adriansr adriansr force-pushed the feature_fb_gcp_firewall branch 3 times, most recently from 864113e to 6b3ef3c Compare November 15, 2019 17:35
@adriansr adriansr marked this pull request as ready for review November 18, 2019 14:09
@adriansr adriansr requested a review from a team as a code owner November 18, 2019 14:09
@adriansr adriansr requested review from a team and removed request for a team November 18, 2019 15:26
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the addition of log.name and the keep_original_message. Either here or in a separate PR, can you please add those to vpcflow to keep them consistent?

@adriansr adriansr force-pushed the feature_fb_gcp_firewall branch from 9a8ac3b to 9c724fc Compare November 19, 2019 09:30
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ALLOWED: "allow",
DENIED: "deny"
},
default: "unknown"
Copy link
Contributor

@webmat webmat Nov 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that event.outcome is still reserved.

The current thinking is that expected values in this field (when present) should be: "success" or "failure". Finer grained information such as "allow" or "deny" should be in another place, perhaps in event.action or a custom field.

As usual, populating a reserved field signs you up to having to do a breaking change later.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"destination.domain": "local-adrian-test",
"destination.ip": "10.128.0.16",
"destination.port": 80,
"event.category": "firewall-rule",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

event.category is still reserved, and at this time, there is no plan to have a category named "firewall-rule".

Leaving this here signs you up to have to do a breaking change, once the expected values are published for event.category. The name of the category that will encapsulate firewall rule events is still very much in flux.

cc @MikePaquette

Comment on lines +49 to +52
"related.ip": [
"10.128.0.16",
"8.8.8.8"
],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OMG thanks for filling that ❤️ 🙂

@webmat
Copy link
Contributor

webmat commented Nov 19, 2019

Other than me harping on the reserved fields, I'm really excited about this! Good work, as usual :-)

@adriansr
Copy link
Contributor Author

Thanks @webmat

Regarding event.outcome / event.category, those are the fields and values already in use by other firewall data sources (cisco, iptables, panos), so I think its better to keep compatibility now and when those fields are standarized we can rename them all.

@adriansr adriansr merged commit 4a66f0b into elastic:master Nov 19, 2019
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Jan 16, 2020
adriansr added a commit to adriansr/beats that referenced this pull request Jan 16, 2020
This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps
parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:
- Logging needs to be enabled for each individual rule in order to log.
- Only TCP and UDP rules can be logged.

(cherry picked from commit 4a66f0b)
@adriansr adriansr added v7.6.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jan 16, 2020
adriansr added a commit to adriansr/beats that referenced this pull request Jan 16, 2020
This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps
parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:
- Logging needs to be enabled for each individual rule in order to log.
- Only TCP and UDP rules can be logged.

(cherry picked from commit 4a66f0b)
adriansr added a commit that referenced this pull request Jan 17, 2020
…15621)

* New fileset for googlecloud firewall logs (#14553)

This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps
parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:
- Logging needs to be enabled for each individual rule in order to log.
- Only TCP and UDP rules can be logged.

(cherry picked from commit 4a66f0b)

* googlecloud/vpcflow fileset: Populate additional log fields (#14608)

To keep the vpcflow fileset of the googlecloud module aligned with the
new firewall fileset, a `var.keep_original_message` option is added.
Also the log.logger ECS field is now filled.
adriansr added a commit to adriansr/beats that referenced this pull request Jan 17, 2020
…l logs (elastic#15621)

* New fileset for googlecloud firewall logs (elastic#14553)

This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps
parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:
- Logging needs to be enabled for each individual rule in order to log.
- Only TCP and UDP rules can be logged.

(cherry picked from commit 4a66f0b)

* googlecloud/vpcflow fileset: Populate additional log fields (elastic#14608)

To keep the vpcflow fileset of the googlecloud module aligned with the
new firewall fileset, a `var.keep_original_message` option is added.
Also the log.logger ECS field is now filled.

(cherry picked from commit 22fb66d)
adriansr added a commit that referenced this pull request Jan 17, 2020
…15621) (#15625)

* New fileset for googlecloud firewall logs (#14553)

This PR adds a new fileset, firewall, to the googlecloud module in Filebeat. It helps
parsing firewall logs generated by rules under VPC Network -> Firewall Rules.

Note that GCP only logs firewall events under the following conditions:
- Logging needs to be enabled for each individual rule in order to log.
- Only TCP and UDP rules can be logged.

(cherry picked from commit 4a66f0b)

* googlecloud/vpcflow fileset: Populate additional log fields (#14608)

To keep the vpcflow fileset of the googlecloud module aligned with the
new firewall fileset, a `var.keep_original_message` option is added.
Also the log.logger ECS field is now filled.

(cherry picked from commit 22fb66d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants